v0.1.2 — Apache 2.0
Your files
become ghosts.
Encrypt any folder on your drive. No account. No server. Your key, your data. A CLI-first encryption protocol built in Rust.
Scroll
Encrypt any folder on your drive. No account. No server. Your key, your data. A CLI-first encryption protocol built in Rust.
What happens
Your files, your folder structure, your filenames — replaced with opaque binary blobs. Useless without the passphrase.
Architecture
From batch folder encryption to transparent real-time file access — GhostIT operates at the depth your workflow requires.
Encrypt or decrypt an entire folder in one pass. Safe in-place mode with round-trip verification — originals aren't touched until the copy is proven.
Operate on individual files inside an encrypted vault. Plaintext exists only in memory — never written to disk. The folder stays encrypted at all times.
Native integration with Claude Code and any MCP-compatible tool. The passphrase is held in server memory — never enters the conversation.
Threat model
GhostIT is built for one thing: making your data useless to anyone who isn't you.
Device theft or loss
Someone gets the machine, browses the drive. Sees nothing but .ghost blobs and binary noise.
Cloud sync exposure
iCloud, Dropbox, Google Drive — they sync plaintext. With GhostIT, they sync encrypted blobs.
Unauthorized local access
Other users on the machine, malware scanning your documents, forensic recovery tools.
Legal compulsion
Can't hand over what you can't decrypt. No server, no account, no third party holds your key.
Before you install
There is no reset. There is no backdoor. There is no support ticket. This is the design.
Under the hood
Encryption
XChaCha20-Poly1305
Key derivation
Argon2id
File format
.ghost — GHST magic bytes
Filename obfuscation
SHA-256 hash of path + salt
Language
Rust
Min passphrase
12 characters — enforced at crypto layer
Get started
Homebrew (macOS & Linux)
Quick start
Open source. Open format. Your key, your data, your ghost.