KnoxCrypt (formerly TeaSafe): An encrypted filesystem

What is it?
  • A tool for creating and browsing encrypted ‘boxes’ of data; similar to Truecrypt.
  • Supports lots of ciphers including AES-256.
  • Utilizes a million iterations of PBKDF2 for key derivation. Seems like a big number but probably overkill.
  • Can create sparse containers.
  • Sub-volume capability.
What’s with the name?

The name has stuck for historical reasons: a very early version used the XTEA cipher for encryption. I think the project could do with a better name though. Let me know if you have any suggestions. I renamed the project to knoxcrypt.


KnoxCrypt is highly developmental and therefore probably buggy. I make no guarentees as to the integrity of stored data. Neither do I guarantee 100% data security. Having said that, if you’re happy with the strength of AES-256 in CTR mode and with a key that has been derived using quite a few rounds of PBKDF2, then I think it should be fine. Take that as you will.


Note, only tested on Linux and Mac. With a bit of work, will probably build (sans fuse-bits) on windows too.


  • some of the boost headers and libraries to build (see makefile).
  • fuse for the main fuse layer binary (the binary ‘knoxcrypt’)
  • crypto++ headers and libraries for building and linking
  • cryptostreampp, a small set of headers allowing straight forward implementation of encrypted file streams (see

Before building anything, you’ll need to put the cryptostreampp headers somewhere. Easiest is to just clone the above mentioned cryptostreammpp repo. You’ll then need to set an environment variable pointing to them, e.g., from a bash prompt I might do something like:


If you don’t have fuse installed, you’ll probably want to only build the main knoxcrypt library (libknoxcrypt.a), the shell (teashell) and makeknoxcrypt, the binary used to make knoxcrypt containers. To build these, respectively:

make lib
make shell
make makeknoxcrypt
Note that building either of the binaries teashell or makeknoxcrypt will automatically build libknoxcrypt.a first.

make or make all will compile everything except the GUI, i.e., the following binaries:

test           : unit tests various parts of the main api
makeknoxcrypt  : builds knoxcrypt containers
knoxcrypt      : fuse layer used for mounting knoxcrypt containers
teashell       : shell utility used for accessing and modifying knoxcrypt containers

To build a KnoxCrypt container that uses AES256, with 4096 * 128000 bytes, use the makeknoxcrypt binary:

./makeknoxcrypt ./test.bfs 128000

For alternative ciphers, use the --cipher flag, e.g.:

./makeknoxcrypt ./test.bfs 128000 --cipher twofish

The available cipher options are aes, serpent, cast256, rc6, twofish, mars, camellia, rc5, shacal2 and null. Update 30/5/15: There are quite a few more than that these days. Have a look at the cryptostream headers if you’re so inclined.

Note that null disables encryption and thus provides no security. The default is aes.

Sparse containers can also be created, growing in size as more data are written to them. Just use the --sparse flag during creation, i.e.:

./makeknoxcrypt ./test.bfs 128000 --sparse 1

Now to mount it to /testMount via fuse, use the knoxcrypt binary:

./knoxcrypt ./test.bfs /testMount

Runs the interactive shell on it using the teashell binary:

./teashell ./test.bfs

Building the GUI

Update 30/5/16: If you’re a mac user, I highly recommend you try out KnoxCryptOSX – see Might be a little easier than trying to mess around with Qt compilation and sorting out of the library dependencies etc.

Having said that, the Qt GUI version…. (is currently broken with the recent name changes)

To build the GUI, first make sure that libknoxcrypt.a has been built by issuing the command make lib in the top-level build-folder.

The GUI uses Qt. Please download and install the latest version (Qt 5.3 at the time of writing) and open in QtCreator. Build and run by clicking on the build icon.

The GUI provides a simple interface to browsing and manipulating knoxcrypt containers.

knoxcrypt GUI


KnoxCrypt follows the BSD 3-Clause licence.

Top Contributors

benhj hasufell


-   v0.5b zip tar
-   v0.3 zip tar
-   v0.3c zip tar
-   v0.3b zip tar
-   v0.2 zip tar
-   v0.2e zip tar
-   v0.2d zip tar
-   v0.2c zip tar
-   v0.2b zip tar
-   v0.1 zip tar
-   v0.1b zip tar
-   0.5 zip tar