Secure your Obsidian vaults with post-quantum cryptography and Windows Hello biometric authentication.
ObsidianCrypt provides transparent, post-quantum resistant encryption for Obsidian vaults synchronized via Git. Files are automatically encrypted before commit and decrypted on checkout, with no impact on your normal Obsidian workflow.
- Post-Quantum Security: ML-KEM-1024 key encapsulation with AES-256-GCM-SIV
- Windows Hello Integration: Biometric authentication with TPM key derivation
- Transparent Git Integration: Clean/smudge filters with meaningful diffs
- Selective Encryption: File-level control via
.gitattributespatterns - Forward Secrecy: Per-file ephemeral keys with unlinkable encryption
Cryptographic Stack:
- Key Derivation: HKDF-SHA256 from Windows Hello biometric seed
- Asymmetric: ML-KEM-1024 for quantum-resistant key encapsulation
- Symmetric: AES-256-GCM-SIV via AesGcmSiv.Net for nonce-misuse resistance
- Authentication: Windows Hello + TPM attestation
System Components:
- Windows Service: Background authentication and crypto operations
- CLI Client: Command-line interface for testing and management
- Git Filters: Transparent encryption/decryption during git operations
- Obsidian Plugin: Vault management and service monitoring
- Named Pipe IPC: Secure service communication with protocol validation
Enhanced Security:
- TPM Key Sealing: Store ML-KEM private keys sealed in TPM
- Hardware Attestation: TPM-based proof of platform integrity
- Vault Sharing: Multi-user encrypted vaults with key distribution
- Commit Signing: Post-quantum signatures tied to user identity
Advanced Features:
- Cross-Platform: macOS (Touch ID) and Linux (FIDO2) support
- Streaming Encryption: Efficient handling of large attachments
- Backup Recovery: Secure key escrow with split secrets
- Enterprise Management: Centralized policy and key management
Current (v1.0):
- âś… Quantum adversaries (>128-bit post-quantum security)
- âś… Physical device access (TPM-derived keys)
- âś… Network interception (repository contains only encrypted data)
- âś… Biometric spoofing (Windows Hello liveness detection)
- âś… Nonce misuse attacks (GCM-SIV deterministic encryption)
Future (v2.0+):
- 🔄 Advanced persistent threats (TPM attestation)
- 🔄 Insider threats (hardware-backed audit logs)
- 🔄 Supply chain attacks (verified boot integration)
- Hardware: TPM provides root of trust for key material
- Platform: Windows Hello handles biometric authentication
- Service: Minimal attack surface with session-based keys
- Git: Repository contains only post-quantum encrypted content
- Windows 10/11 with Windows Hello biometric authentication
- TPM 2.0 chip (required for hardware key derivation)
- Git 2.30+ with filter support
- Obsidian 1.0+ for plugin integration
- .NET 9.0 Runtime (for service and CLI)
Note: AES-256-GCM-SIV cryptography is provided by the AesGcmSiv.Net NuGet package with no external dependencies.
Option 1: Winget Installation (Recommended)
# Install via Windows Package Manager
winget install ObsidianCrypt.ObsidianCrypt
# Verify installation
ObsidianCrypt.Client.exe status
ObsidianCrypt.Client.exe testOption 2: Manual Installation
# 1. Download and run the MSI installer as Administrator
# 2. Verify service is running
.\scripts\run-service.ps1 -Status
# 3. Test the installation
ObsidianCrypt.Client.exe status
ObsidianCrypt.Client.exe test
**Note**: The CLI client is self-contained and includes all required dependencies.
# 4. Configure git filters for your vault
cd C:\Users\YourName\Documents\ObsidianVault
git config filter.obsidian-crypt.clean 'powershell -File "C:\Program Files\ObsidianCrypt\GitFilters\obsidian-clean.ps1"'
# 5. Install Obsidian plugin (optional)
# The plugin is distributed separately and should be installed directly in Obsidian
# from the repository: https://github.com/willmortimer/ObsidianCrypt
git config filter.obsidian-crypt.smudge 'powershell -File "C:\Program Files\ObsidianCrypt\GitFilters\obsidian-smudge.ps1"'
git config diff.obsidian-decrypt.textconv 'powershell -File "C:\Program Files\ObsidianCrypt\GitFilters\obsidian-decrypt.ps1"'
# 5. Configure encryption patterns
echo "*.md filter=obsidian-crypt diff=obsidian-decrypt" >> .gitattributes
echo "*.canvas filter=obsidian-crypt diff=obsidian-decrypt" >> .gitattributes
# 6. Install Obsidian plugin (optional)
cp -r obsidian-plugin\ "C:\Users\YourName\AppData\Roaming\obsidian\plugins\obsidian-crypt\"- Setup: Install service and configure git filters
- Authenticate: Windows Hello prompts appear during git operations
- Work Normally: Obsidian sees decrypted files, git stores encrypted content
- Collaborate: Share encrypted repositories without exposing content
# Check service status and connectivity
ObsidianCrypt.Client.exe status
# Test encryption/decryption roundtrip
ObsidianCrypt.Client.exe test --text "Hello, World!" --path "test.md"
# Encrypt a file
ObsidianCrypt.Client.exe encrypt --input plaintext.md --output encrypted.bin --path "notes/file.md"
# Decrypt a file
ObsidianCrypt.Client.exe decrypt --input encrypted.bin --output decrypted.md --path "notes/file.md"
# Use with pipes (stdin/stdout)
echo "Secret content" | ObsidianCrypt.Client.exe encrypt --path "secret.md" > encrypted.bin
ObsidianCrypt.Client.exe decrypt --path "secret.md" < encrypted.bin# Development mode (console)
.\scripts\run-service.ps1
# Install as Windows service
.\scripts\run-service.ps1 -Install -Start
# Service control
.\scripts\run-service.ps1 -Stop
.\scripts\run-service.ps1 -Start
.\scripts\run-service.ps1 -Restart
.\scripts\run-service.ps1 -Status
# Production installer
.\deployment\service-installer.ps1 -Action Install
.\deployment\service-installer.ps1 -Action UninstallControl which files are encrypted via .gitattributes:
# Encrypt all notes and canvases
*.md filter=obsidian-crypt diff=obsidian-decrypt
*.canvas filter=obsidian-crypt diff=obsidian-decrypt
# Encrypt private directories
private/** filter=obsidian-crypt diff=obsidian-decrypt
personal/** filter=obsidian-crypt diff=obsidian-decrypt
# Exclude configuration and public files
.obsidian/** -filter
README.md -filter
public/** -filter# Git diffs show decrypted content automatically
git diff HEAD~1 notes/important.md
# View historical versions
git show HEAD~5:notes/important.md
# Log with content changes
git log -p --follow notes/important.mdMSBuild Integration:
- AES-GCM-SIV: Integrated via AesGcmSiv.Net NuGet package
- Dynamic Loading: Runtime library resolution with multiple fallback paths
- Path Resolution: MSBuild-generated constants eliminate hardcoded paths
- Cross-Platform: Library name detection for Windows/Linux/macOS
- Deployment Ready: Self-contained packages with all dependencies
Key Components:
src/ObsidianCrypt.Crypto/HKDFSHA256.cs: HKDF key derivation wrappersrc/ObsidianCrypt.Crypto/PQCrypto.cs: Post-quantum crypto implementationtests/Integration.Tests/TestPaths.targets: Automated path generation- All
.csprojfiles: Integrated MSBuild targets for consistent builds
Key Derivation Flow:
- Windows Hello biometric authentication
- TPM-attested seed derivation
- HKDF-SHA256 expansion to crypto keys
- Per-file ML-KEM ephemeral key generation
Encryption Process:
- Generate random ephemeral key
- Encapsulate with ML-KEM-1024 public key
- Derive file key from KEM shared secret
- Encrypt with AES-256-GCM-SIV (deterministic nonce)
- Sign entire structure with ML-DSA-87
File Format:
[Version: 1 byte]
[Algorithm ID: 1 byte]
[KEM Ciphertext: 1568 bytes]
[GCM-SIV Nonce: 12 bytes]
[Encrypted Data: variable]
[Auth Tag: 16 bytes]
[ML-DSA Signature: 4627 bytes]
[Metadata: variable]
- Encryption: ~50MB/s (AES-256-GCM-SIV hardware acceleration via AesGcmSiv.Net)
- Key Operations: ~1ms (ML-KEM-1024 encapsulation)
- Authentication: ~500ms (Windows Hello biometric verification)
- File Overhead: ~6.3KB constant + 0.1% size increase
- Service Startup: ~2-3 seconds (including TPM initialization)
- Memory Usage: ~15-25MB resident (scales with concurrent operations)
- Library Loading: ~20ms (AesGcmSiv.Net static initialization)
# Clone repository
git clone https://github.com/willmortimer/ObsidianCrypt.git
cd ObsidianCrypt
# Full build with tests (includes AesGcmSiv.Net integration)
.\scripts\build.ps1
# Build specific configuration
.\scripts\build.ps1 -Configuration Release -Verbose
# Run tests with coverage
.\scripts\test.ps1 -Coverage
# Run specific tests
.\scripts\test.ps1 -Filter "PQCrypto*"
# Package for deployment (self-contained with dependencies)
.\scripts\package.ps1MSBuild Integration: The build system automatically handles AesGcmSiv.Net package integration with no external dependencies.
# Initial development setup
.\scripts\dev-setup.ps1
# Run service in development mode
.\scripts\run-service.ps1
# Build Obsidian plugin
cd obsidian-plugin
pnpm install
pnpm run devPath Resolution: All components now use MSBuild-generated paths, eliminating hardcoded absolute paths and improving portability.
# Unit tests (crypto operations with AesGcmSiv.Net)
dotnet test tests\ObsidianCrypt.Crypto.Tests
# Integration tests (requires running service)
dotnet test tests\ObsidianCrypt.Service.Tests
# End-to-end tests (CLI and git workflow with MSBuild paths)
dotnet test tests\Integration.Tests
# Run all tests with service dependency check
.\scripts\test.ps1Test Improvements:
- Crypto tests now use AesGcmSiv.Net for simplified and reliable testing
- Integration tests use MSBuild-generated paths for CLI client location
- All tests are now portable and work across different development environments
- Security Issues: Report privately via [email protected]
- Feature Requests: Open GitHub issue with detailed use case
- Pull Requests: Include tests and documentation updates
- Code Style: Follow .NET coding conventions and security best practices
- Key Material: Never persisted to disk, exists only in memory during sessions
- Service Isolation: Runs with minimal privileges, automatic restart clears state
- Audit Logging: Authentication attempts and crypto operations logged
- Emergency Decrypt: Administrative override requires elevated privileges
- Platform Dependency: Currently Windows-only (macOS/Linux in roadmap)
- Hardware Requirements: Requires TPM 2.0 and biometric authentication
- Network Transparency: Encrypted content visible in git repositories
- Key Recovery: No key escrow mechanism (by design)
- Deployment: Requires .NET 8.0 Runtime (self-contained option available)
- Post-Quantum Security: Based on lattice problems (ML-KEM) and hash security
- Hardware Trust: TPM provides secure key derivation and attestation
- Implementation Security: AesGcmSiv.Net provides constant-time operations
- Protocol Security: Authenticated encryption prevents tampering
MIT License - see LICENSE file for details.
Service won't start:
# Check Windows Hello is configured
# Verify TPM 2.0 is enabled in BIOS
# Run as Administrator:
.\scripts\run-service.ps1 -StatusGit filters not working:
# Verify service is running
ObsidianCrypt.Client.exe status
# Check git filter configuration
git config --list | findstr obsidian-crypt
# Test filters manually
echo "test" | powershell -File "C:\Program Files\ObsidianCrypt\GitFilters\obsidian-clean.ps1"CLI connection timeouts:
# Check if service is running
net start | findstr ObsidianCrypt
# Restart service
net stop ObsidianCrypt
net start ObsidianCrypt- Large files: Use streaming for files >10MB
- Batch operations: Process multiple files in single session
- Memory usage: Service automatically manages crypto key lifecycle