// project :: secure_file_encryption_system

SecureFile
AES-256-GCM File Encryption & Decryption
Web · CLI · GUI — Triple Platform

A production-grade file encryption system protecting documents, images, and videos with AES-256-GCM authenticated encryption, PBKDF2-SHA256 key derivation, and a hacker-aesthetic web interface — available across Web, CLI, and Tkinter GUI platforms.

AES-256-GCM Python / Flask Tkinter GUI CLI Tool PBKDF2-SHA256 600K Iterations AEAD Cipher 256-bit Salt Documents Images / Videos Live Demo
M.Sc. Project — Dr. MGR Education and Research Institute
256Bit Key Size
600KKDF Iterations
3Platforms
500MBMax File Size
20+File Formats
0Passwords Stored

Project Overview

The exponential growth of digital data has made file-level encryption a critical need for individuals and professionals handling sensitive documents, medical records, and private media. SecureFile is a multi-platform encryption system that brings military-grade security to everyday file protection through an accessible interface.

The system uses AES-256-GCM — an Authenticated Encryption with Associated Data (AEAD) cipher — ensuring that files are not only encrypted but also protected against tampering. Key derivation uses PBKDF2-HMAC-SHA256 with 600,000 iterations (NIST SP 800-132 compliant), making brute-force attacks computationally infeasible even against modern GPUs. Each file receives a unique 256-bit random salt and 96-bit nonce, eliminating rainbow table and precomputation attacks entirely.

The system is available in three deployment modes: a Flask web application for browser-based access, a Python CLI tool for terminal workflows and scripting, and a Tkinter GUI application for offline desktop use. All three share the same cryptographic core — the custom binary .secf format.

Keywords: AES-256-GCM · PBKDF2-SHA256 · AEAD Encryption · File Security · Python · Flask · Tkinter · Cross-Platform

Why SecureFile?

⚠ Problem

Most users store sensitive files — tax documents, medical records, private photos — as plain, unprotected data on local disks and cloud storage. Existing tools like ZIP encryption use weak RC2/ZipCrypto, and commercial solutions are expensive, proprietary, or require internet access for every operation.

✓ Solution

SecureFile provides free, open-source, offline-capable AES-256-GCM encryption accessible to non-technical users via a web UI, power users via CLI, and desktop users via GUI — all with the same NSA-Suite-B grade cryptographic core and zero password storage.

Limitations of Existing Solutions

❌  ZIP / 7-Zip uses weak or legacy cipher modes
❌  No authentication tag — tampering undetected
❌  Cloud tools require internet & account sign-in
❌  Commercial apps store encryption keys server-side
❌  No CLI for scripting & automation workflows
❌  Static salt / nonce reuse vulnerabilities
❌  Low KDF iteration counts (MD5-based or <10K PBKDF2)
❌  No cross-platform support (Web + Desktop + CLI)

Technology Stack

Software Requirements

🐍
Python
3.8+ Required
🔥
Flask
v3.0+
🔐
cryptography
v42.0+ (PyCA)
🪟
Tkinter
GUI / Stdlib
🌐
HTML5 / CSS3
Web Frontend
🔑
AES-256-GCM
AEAD Cipher
🧂
PBKDF2-SHA256
NIST SP 800-132
🎨
CSS Variables
Dark Hacker UI
📦
Werkzeug
v3.0+ Secure FS
🖥️
Linux / Windows
Cross-Platform

Hardware Requirements

⚙️
CPU
Any modern CPU
PBKDF2 runs in ~0.5s
💾
RAM
Min: 512 MB
Rec: 2 GB+
💿
Storage
~2× file size temp
SSD recommended
🌐
Network
Web: TCP 5000
CLI/GUI: Offline OK

System Architecture

// encryption_pipeline

📁
Input File
Any format
🧂
Salt + Nonce
256-bit / 96-bit
🔑
PBKDF2
600K iterations
🔐
AES-256-GCM
AEAD Encrypt
📄
.secf Output
Binary bundle

// three_platform_modes

🌐
Web Interface
Flask + HTML/CSS/JS
+
💻
CLI Tool
Python argparse
+
🪟
GUI Desktop
Tkinter + threading
=
🔐
Shared Core
Same crypto engine

.secf Binary File Format

32 BYTES SALT PBKDF2 salt
256-bit random
12 BYTES NONCE GCM nonce/IV
96-bit random
4 BYTES AAD LEN Metadata length
big-endian uint32
N BYTES AAD JSON metadata
filename + ext + size
REST + 16B TAG CIPHERTEXT + AUTH TAG AES-256-GCM encrypted payload with 128-bit GHASH authentication tag

All cryptographic parameters are self-contained — no external key files or configuration needed for decryption

Cryptographic Defence Layers

01
Key Derivation — PBKDF2-HMAC-SHA256

Password is never used directly as a key. PBKDF2 stretches and strengthens it using 600,000 iterations of HMAC-SHA256 with a unique 256-bit random salt. Generating 1 billion password guesses at this iteration count would take ~years on modern GPUs.

02
Encryption — AES-256-GCM (AEAD)

Galois/Counter Mode transforms plaintext into ciphertext using a 256-bit key and 96-bit nonce. Unlike CBC mode, GCM simultaneously produces a 128-bit authentication tag — decryption fails immediately if even one byte is modified, providing confidentiality and integrity in a single pass.

03
Salt Uniqueness — Per-File 256-bit Random Salt

Each encryption generates a cryptographically random 256-bit salt via secrets.token_bytes(32). This guarantees that encrypting the same file twice with the same password produces completely different ciphertext, defeating rainbow table and precomputation attacks.

04
Nonce Uniqueness — 96-bit Random IV

A fresh 96-bit nonce (initialisation vector) is generated per encryption using a CSPRNG. Reusing a nonce under the same key in GCM mode would be catastrophic — SecureFile eliminates this entirely with per-file random generation.

05
Authenticated Metadata — Additional Authenticated Data (AAD)

File metadata (original filename, extension, size) is stored as AAD — authenticated by the GCM tag but not encrypted. Any modification to the filename or size within the .secf file causes decryption to fail, preventing metadata spoofing attacks.

Implementation Modules

🌐

Module 1: Flask Web Application

REST API backend with /api/encrypt and /api/decrypt endpoints. Supports multipart file upload up to 500 MB. Files are processed in-memory and auto-deleted from server after download. Werkzeug secure_filename sanitization prevents path traversal.

🔐

Module 2: AES-256-GCM Crypto Core

Shared cryptographic engine using PyCA cryptography library. PBKDF2 key derivation with 600K iterations, CSPRNG salt/nonce generation, AESGCM encryption/decryption with AAD binding. Used identically across all three platforms.

💻

Module 3: CLI Tool (securefile_cli.py)

Full-featured argparse CLI with encrypt, decrypt, and info subcommands. Secure getpass() password prompting, ANSI colour output, progress feedback, and --delete-original flag. Exit codes 0/1 for shell scripting compatibility.

🪟

Module 4: Tkinter GUI (securefile_gui.py)

Dark-themed desktop application with non-blocking threading for large files. File chooser dialogs, password strength meter, real-time operation log, and ttk progress bar. Supports encrypt/decrypt mode toggle with context-appropriate file filters.

🎨

Module 5: Web UI (Hacker Aesthetic)

Single-file CSS design system with scan-line animation, CSS grid background, animated password strength bar, drag-and-drop zone, terminal operation log, and real-time fake progress indicator. Zero framework dependencies — pure HTML/CSS/JS.

📄

Module 6: .secf Format Engine

Custom binary container packing salt (32B) + nonce (12B) + AAD length (4B) + AAD metadata (JSON) + GCM ciphertext+tag. The info command reads metadata without decryption. Format is fully self-describing — all parameters embedded.

Core: AES-256-GCM Encrypt Function

# Python / app.py — Shared cryptographic core def encrypt_file(file_path: Path, password: str) -> dict: salt = secrets.token_bytes(32) # 256-bit CSPRNG salt nonce = secrets.token_bytes(12) # 96-bit GCM nonce key = derive_key(password, salt) # PBKDF2-SHA256 × 600,000 aad = json.dumps({ # Authenticated metadata (not encrypted) "filename": file_path.name, "extension": file_path.suffix.lower(), "size": len(plaintext) }).encode() aesgcm = AESGCM(key) ciphertext = aesgcm.encrypt(nonce, plaintext, aad) # ciphertext + 128-bit tag # Pack: [salt:32][nonce:12][aad_len:4][aad:N][ciphertext+tag] aad_len = len(aad).to_bytes(4, 'big') encrypted_data = salt + nonce + aad_len + aad + ciphertext

Web API Endpoints

Encryption Endpoints

EndpointMethodAuth
/api/encryptPOSTNone
/api/decryptPOSTNone
/api/supported-formatsGETNone

Download Endpoints

EndpointMethodReturns
/api/download/encrypted/<name>GET.secf file
/api/download/decrypted/<name>GETOriginal file

Standards & References

FIPS 197

AES Standard (NIST)

NIST SP 800-38D

GCM Mode Specification

NIST SP 800-132

PBKDF Key Derivation

RFC 2898

PBKDF2 Specification

PyCA Cryptography

Python Crypto Library

MIT License

Open Source — Free to Use

Testing & Results

~0.5sKey Derivation600K PBKDF2 rounds
<2s100MB File Enc.AES-256-GCM speed
+48BSize Overheadsalt + nonce + tag
10/10Test CasesAll passed ✓

Unit Test Results — All Passed

Test CaseModuleExpectedResult
TC-01: Encrypt PDFCrypto Core.secf file producedPASS
TC-02: Decrypt .secfCrypto CoreOriginal file restoredPASS
TC-03: Wrong PasswordGCM AuthValueError raisedPASS
TC-04: Tampered FileGCM Auth TagDecryption rejectedPASS
TC-05: Encrypt Image (PNG)Web API.secf download servedPASS
TC-06: Encrypt Video (MP4)Web API500MB handled correctlyPASS
TC-07: CLI encrypt + decryptCLI ModuleRound-trip identicalPASS
TC-08: CLI info commandCLI ModuleMetadata shown, no passwordPASS
TC-09: GUI encrypt threadGUI ModuleNon-blocking, progress shownPASS
TC-10: Unique salt per fileCrypto CoreDifferent ciphertext each runPASS

vs. Existing Encryption Tools

FeatureSecureFile7-Zip AESVeraCryptGPG
AES-256-GCM (AEAD)✗ (CBC)✗ (XTS)✗ (CFB)
Tamper Detection✓ GCM TagPartial
600K PBKDF2 Iterations✗ (<1K)Configurable
Web Browser Interface
CLI + GUI + Web✓ All 3CLI + GUIGUI onlyCLI only
No Installation (Web)
Open Source & Free✓ MIT✓ LGPL✓ Apache✓ GPL
Self-Describing Format✓ .secfPartial

Get Started

WEB APP 🌐

Flask Web Interface

Full drag-and-drop UI. Encrypt and download files directly in your browser. No installation — just run and visit localhost.

$ git clone https://github.com/
  senthilnathan1730/secure_file
$ pip install -r requirements.txt
$ python app.py
http://localhost:5000
CLI TOOL 💻

Command-Line Interface

For terminal power users and automation. Three subcommands: encrypt, decrypt, info. Script-friendly exit codes and batch processing.

$ python securefile_cli.py encrypt report.pdf
$ python securefile_cli.py decrypt report.secf
$ python securefile_cli.py info report.secf
DESKTOP GUI 🪟

Tkinter GUI App

Offline desktop application. Dark themed with file chooser dialogs, strength meter, operation log, and threaded processing for large files.

$ pip install cryptography
$ python securefile_gui.py

⚠ Important Security Note

🔑  Passwords are NEVER stored. A lost password means permanent data loss. Use a strong, memorable passphrase and store it in a password manager.

🗑️  Web: Files are auto-deleted from server immediately after download. No data is retained. CLI/GUI: files stay local only.

🔄  Each encryption is unique. Encrypting the same file twice produces different .secf output due to fresh salt + nonce generation.

✅  GCM guarantees integrity. If the encrypted file is corrupted or tampered with, decryption fails with a clear error — no silent data corruption.

Contact