djedi/privacy-toolkit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial commit

Browse source
This commit is contained in:
rpriven 2025-12-31 19:44:07 -07:00
commit 319efece5f
Signed by: djedi
GPG key ID: D04DED574622EF45
26 changed files with 3594 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
.gitignore vendored Normal file
View file

@ -0,0 +1,25 @@
# Temp files
*.tmp
*.log
*.swp
*~
# OS files
.DS_Store
Thumbs.db
# Editor files
.vscode/
.idea/
*.sublime-*
# Test downloads
downloads/
*.deb
*.rpm
*.tar.gz
*.zip
# Local testing
test-*
scratch/

127
APT-TOOLS-VERSIONS.md Normal file
View file

@ -0,0 +1,127 @@
# APT-Based Privacy Tools - Version Info
## ✅ Current Versions (Debian Trixie)
Based on check: 2025-11-12
### OnionShare
- **Debian Version**: 2.6.3-1 ✅
- **Latest Upstream**: v2.6.3 (2025-02-25)
- **Status**: **UP TO DATE** 🎉
- **Recommendation**: Use apt version
### Tor
- **Debian Version**: 0.4.8.16-1
- **Latest Stable**: 0.4.8.x series
- **Status**: Current stable release
- **Recommendation**: Debian apt is fine for most users
- **Advanced**: Use Tor Project's repo for absolute latest
### torsocks
- **Debian Version**: 2.5.0-1
- **Status**: Stable, mature project (slow release cycle)
- **Recommendation**: apt version is fine
### Other Tools
| Tool | Debian Version | Notes |
|------|---------------|-------|
| keepassxc | Latest in Trixie | Well-maintained in Debian |
| mat2 | Current | Part of Tails, actively maintained |
| exiftool | Latest | Perl module, stable |
| bleachbit | Current | Regular Debian updates |
| firejail | Latest stable | Security-focused, backported updates |
| age | Current | Simple tool, infrequent updates needed |
| sherlock | Packaged | Python tool |
## 🎯 Recommendations
### Use APT for:
✅ OnionShare (currently up to date!)
✅ tor (unless you need bleeding edge)
✅ torsocks
✅ All other privacy tools listed
✅ Automatic security updates via apt
### Consider Upstream for:
⚠️ Tor Browser - Use Tor Project's official package
⚠️ Signal Desktop - Use official Signal .deb repo
⚠️ Tools requiring latest features
## 📦 Installation
**Simple one-liner for all APT tools:**
```bash
cd ~/github/privacy-toolkit
./install-apt-tools.sh
```
**Or manual:**
```bash
sudo apt install \
keepassxc age mat2 exiftool shred bleachbit \
tor torsocks onionshare onionshare-cli \
firejail sherlock
```
## 🔄 Update Strategy
**For APT-managed tools:**
```bash
# Regular updates
sudo apt update && sudo apt upgrade
# Check for security updates
sudo apt update && sudo apt list --upgradable
```
**Checking versions:**
```bash
# OnionShare
onionshare-cli --version
# Tor
tor --version
# mat2
mat2 --version
# KeePassXC
keepassxc --version
```
## 🌐 Tor Project Repository (Optional)
If you want the absolute latest Tor (usually not necessary):
```bash
# Add Tor Project repository
sudo apt install -y apt-transport-https
# Add GPG key
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | sudo tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
# Add repo
echo "deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/tor.list
# Install
sudo apt update
sudo apt install tor torbrowser-launcher
```
## 📊 Summary
**12+ privacy tools available via apt**
- **Encryption**: keepassxc, age
- **Metadata**: mat2, exiftool
- **Anonymity**: tor, torsocks, onionshare
- **Security**: firejail, bleachbit
- **OSINT**: sherlock
**Benefit**: Single update command, dependency management, security patches
---
**Last Updated**: 2025-11-12
**Debian Version**: Trixie (testing)
**OnionShare**: ✅ Up to date!

134
README.md Normal file
View file

@ -0,0 +1,134 @@
# 🛡️ Privacy Toolkit
**A curated collection of privacy-focused tools with automated installation scripts**
## 🎯 Mission
Provide easy-to-install, well-documented privacy tools that protect against common threats:
- Surveillance and tracking
- Data breaches and leaks
- Malicious documents and files
- Metadata exposure
- Network monitoring
## 🚀 Quick Start
```bash
# Clone the repository
git clone https://github.com/YOUR_USERNAME/privacy-toolkit.git
cd privacy-toolkit
# Install a specific tool
./tools/dangerzone/install.sh
# Or use the master installer (coming soon)
./install.sh
```
## 📦 Available Tools
### 🎯 Priority Tools (Install First)
1. **[Dangerzone](tools/dangerzone/)** - Document sanitization ✅
2. **[LibreWolf](tools/librewolf/)** - Privacy-focused Firefox fork ✅
3. **mat2** - Metadata removal (via apt-tools)
4. **Signal Desktop** - Secure messaging (coming soon)
5. **Tor Browser** - Anonymous browsing (coming soon)
6. **BleachBit** - Secure deletion (via apt-tools)
7. **firejail** - App sandboxing (via apt-tools)
See [TOOLS-LIST.md](TOOLS-LIST.md) for the complete list of planned tools.
## 🗂️ Categories
- **Document Sanitization**: Remove malware and tracking from files
- **Encryption & Storage**: Protect data at rest
- **Secure Communication**: Private messaging and calls
- **Anonymity & Network**: Browse and communicate anonymously
- **Metadata Removal**: Strip identifying information
- **Secure Deletion**: Permanently erase sensitive data
- **Password Management**: Secure credential storage
- **Email Privacy**: Encrypted email communication
- **System Hardening**: Lock down your system
- **DNS Privacy**: Prevent DNS surveillance
## 🔧 Installation Script Features
Each tool installation script includes:
- ✅ Distro detection (Debian/Ubuntu/Fedora/Arch)
- ✅ GPG key verification
- ✅ Dependency checking
- ✅ Post-install verification
- ✅ Usage examples
- ✅ Security best practices
## 📖 Documentation
Each tool includes:
- **README.md**: What it does and why you need it
- **install.sh**: Automated installation
- **Threat model**: What attacks it protects against
- **Usage examples**: How to use it effectively
## 🤝 Contributing
Privacy tools to suggest? Found a bug? Contributions welcome!
1. Fork the repository
2. Create a feature branch
3. Follow the tool template structure
4. Submit a pull request
## 🔒 Security Principles
- **FOSS First**: Open source tools are auditable
- **Official Sources**: Install from official repositories when possible
- **Signature Verification**: Always verify GPG signatures
- **Minimal Trust**: Reduce trust in third parties
- **Defense in Depth**: Layer multiple tools for comprehensive protection
## 📚 Learning Resources
- [Threat Modeling Guide](docs/threat-modeling.md) (coming soon)
- [Privacy Best Practices](docs/best-practices.md) (coming soon)
- [Tool Verification Guide](docs/verification.md) (coming soon)
## ⚖️ License
MIT License - See [LICENSE](LICENSE) for details
## 🙏 Acknowledgments
- Freedom of the Press Foundation (Dangerzone)
- The Tor Project
- Signal Foundation
- All FOSS privacy tool developers
---
**Status**: 🚧 Work in Progress
**Tools Completed**: 8/30+
**Last Updated**: 2025-12-21
💡 **Remember**: Privacy is a process, not a product. These tools help, but conscious behavior matters more.
## 🔐 Security Best Practices
### Always Verify Signatures and Checksums!
Before installing ANY security software:
1. **Download signature files** (.asc, .sig)
2. **Import developer's GPG key**
3. **Verify fingerprint** against official website
4. **Check SHA256 checksum**
5. **Verify GPG signature**
Example verification workflow documented in tool directories (see `tools/cryptomator/VERIFICATION.md`).
**Red flags - DO NOT INSTALL:**
- ❌ No signature file available
- ❌ Fingerprint mismatch
- ❌ "BAD signature" from GPG
- ❌ Checksum mismatch
- ❌ Download from unofficial source

135
SESSION-NOTES.md Normal file
View file

@ -0,0 +1,135 @@
# Privacy Toolkit - Session Notes
## 2025-11-12 - Initial Repository Setup
### 🎯 What We Built
Created a modular privacy toolkit with automated installation scripts for security-focused tools.
### ✅ Completed Tools (5)
1. **Dangerzone** - Document sanitization (Freedom of Press Foundation)
- Container-based PDF/Office sanitization
- Includes GPG keyring permission fix
- Full threat model documentation
2. **croc** - Secure P2P file transfer
- PAKE-based encryption
- Simple curl | bash installation
3. **age** - Modern file encryption
- Simpler than GPG
- Installed via apt
4. **VeraCrypt** - Full disk encryption
- Encrypted containers and full disk encryption
- Launchpad .deb download
- Version 1.26.7
5. **Cryptomator** - Cloud storage encryption
- Client-side encryption for cloud files
- Interactive .deb vs AppImage choice
- **Includes full verification guide** (GPG + SHA256)
### 📁 Repository Structure
```
privacy-toolkit/
├── README.md # Main documentation
├── TOOLS-LIST.md # Progress checklist
├── TOOLS-REFERENCE.md # Detailed tool descriptions
├── SESSION-NOTES.md # This file
└── tools/
├── age/
│ └── install.sh
├── croc/
│ └── install.sh
├── cryptomator/
│ ├── install.sh
│ └── VERIFICATION.md # GPG verification guide
├── dangerzone/
│ ├── install.sh
│ └── README.md
└── veracrypt/
└── install.sh
```
### 🔐 Key Features
- **Modular Design**: Each tool is self-contained
- **Security-First**: GPG verification, checksums, official sources
- **Educational**: Threat models explain WHY you need each tool
- **Consistent**: Same script structure across all tools
- **Practical**: Real-world verification example for Cryptomator
### 🎓 Security Practices Documented
Example verification workflow (Cryptomator):
1. Download .deb + .asc signature
2. Import GPG key
3. Verify fingerprint: `5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235`
4. Check SHA256 checksum
5. Verify GPG signature
6. Install if all checks pass
### 📊 Status
- **Tools Completed**: 5/30+
- **Priority Tools**: 1/6 (Dangerzone)
- **Documentation**: Comprehensive for completed tools
- **Git**: Not yet initialized (ready to be)
### 🎯 Next Steps
Potential additions:
- mat2 (metadata removal)
- Signal Desktop
- Tor Browser
- BleachBit
- firejail
- OnionShare
- ExifTool
### 💡 Design Decisions
1. **Cryptomator: .deb vs AppImage**
- Script offers choice
- Recommendation: .deb for better system integration
- AppImage for portability
2. **VeraCrypt: Version locking**
- Hardcoded 1.26.7 for stability
- Manual update recommended over auto-latest
3. **Dangerzone: GPG keyring fix**
- Includes chmod 644 fix for /etc/apt/keyrings/
- Solves permission denied error
### 🔗 Resources
- Official Cryptomator releases: https://github.com/cryptomator/cryptomator/releases
- Dangerzone: https://dangerzone.rocks/
- VeraCrypt: https://veracrypt.fr/
- Age: https://github.com/FiloSottile/age
- Croc: https://github.com/schollz/croc
---
**Created**: 2025-11-12
**Tools**: 5 complete, 25+ planned
**Focus**: Security, privacy, encryption, sanitization
## SimpleX Installation Discovery
**Issue**: SimpleX .deb packages have library compatibility issues across multiple distros.
**Confirmed broken:**
- Debian Trixie: Crashes with `SIGSEGV in libHSzstd`
- Pop!_OS: Required AppImage
**Solution**: Always use AppImage for SimpleX
- Script: `tools/simplex/install-appimage.sh`
- Location: `~/.local/bin/SimpleX.AppImage`
- Works universally across distros
**Lesson**: For complex cross-platform apps with many dependencies, prefer AppImage over distro-specific packages.

92
TOOLS-LIST.md Normal file
View file

@ -0,0 +1,92 @@
# Privacy Toolkit - Tool Candidates
This is our working list of privacy tools to include in the toolkit.
## 🎯 Priority 1 (Core Privacy Tools)
- [x] **Dangerzone** - Document sanitization ✅
- [ ] **mat2** - Metadata removal
- [ ] **Signal Desktop** - Secure messaging
- [ ] **Tor Browser** - Anonymous browsing
- [ ] **BleachBit** - Secure deletion
- [ ] **firejail** - App sandboxing
## 🛡️ Document Sanitization
- [x] **Dangerzone** - PDF/Office document sanitizer using container isolation ✅
- [ ] **ExifCleaner** - Metadata removal from images/PDFs/videos
- [ ] **mat2** - Metadata Anonymization Toolkit
## 🔐 Encryption & Secure Storage
- [x] **VeraCrypt** - Full disk encryption and encrypted containers ✅
- [x] **age** - Modern file encryption ✅
- [x] **Cryptomator** - Client-side cloud storage encryption ✅
## 📂 Secure File Transfer
- [x] **croc** - Secure, fast P2P file transfer ✅
## 📡 Secure Communication
- [ ] **Signal Desktop** - E2E encrypted messaging
- [ ] **SimpleX** - E2E encrypted messaging without identifiers (documented in PAI)
- [ ] **Jami** - P2P encrypted video/audio calls
## 🌐 Anonymity & Network Privacy
- [ ] **Tor Browser** - Anonymous web browsing
- [ ] **ProtonVPN** - Privacy-focused VPN (already installed)
- [ ] **OnionShare** - Anonymous file sharing over Tor
## 🔍 Metadata & Privacy Analysis
- [ ] **ExifTool** - View/edit metadata in files
- [ ] **Sherlock** - Username enumeration across platforms
## 🗑️ Secure Deletion
- [ ] **BleachBit** - Secure file deletion and system cleaning
- [ ] **shred** - Overwrite files securely (already installed)
## 🔒 Password & Secret Management
- [ ] **KeePassXC** - Offline password manager (already in use)
- [ ] **Bitwarden** - Open source password manager (self-hostable)
## 📧 Email Privacy
- [ ] **Thunderbird + Enigmail** - PGP email encryption
- [ ] **ProtonMail Bridge** - Use ProtonMail with desktop clients
## 🛡️ System Hardening
- [ ] **firejail** - Application sandboxing
- [ ] **AppArmor** - Mandatory Access Control (built into Debian)
## 🌐 DNS Privacy
- [ ] **dnscrypt-proxy** - Encrypted DNS queries
- [ ] **Unbound** - Validating DNS resolver
## 📱 Mobile Companion Tools
- [ ] **scrcpy** - Control Android via ADB
---
**Last Updated:** 2025-11-12
**Tools Completed:** 5/30+ (Dangerzone, croc, age, VeraCrypt, Cryptomator)
**Priority Tools:** 1/6
---
## 📦 APT-Based Tools (Quick Install)
Many privacy tools are available directly via apt! Run:
```bash
./install-apt-tools.sh
```
**APT Tools Included:**
- [x] **keepassxc** - Password manager ✅
- [x] **age** - File encryption ✅
- [x] **mat2** - Metadata removal ✅
- [x] **exiftool** - EXIF metadata viewer/editor ✅
- [x] **bleachbit** - Secure deletion ✅
- [x] **firejail** - App sandboxing ✅
- [x] **tor** - Anonymity network ✅
- [x] **torsocks** - Torify applications ✅
- [x] **onionshare** - Anonymous file sharing ✅
- [x] **sherlock** - Username enumeration ✅
**Note**: OnionShare 2.6.3 in Debian is **up to date** with latest release! 🎉
See [APT-TOOLS-VERSIONS.md](APT-TOOLS-VERSIONS.md) for version details.

189
TOOLS-REFERENCE.md Normal file
View file

@ -0,0 +1,189 @@
# Privacy Toolkit - Tool Candidates
## 🛡️ Document Sanitization
- **Dangerzone** - PDF/Office document sanitizer using container isolation
- Threat: Malicious documents with embedded exploits
- Status: Installation script ready (needs chmod fix for GPG key)
- Source: Freedom of the Press Foundation
- Platform: Linux (Debian/Ubuntu/Fedora)
- **ExifCleaner** - Metadata removal from images/PDFs/videos
- Threat: EXIF data leaking location, camera info, timestamps
- Source: https://github.com/szTheory/exifcleaner
- Platform: Cross-platform (AppImage for Linux)
- **mat2** (Metadata Anonymization Toolkit)
- Threat: Document metadata revealing identity/system info
- Source: apt package, part of Tails
- Platform: Linux
## 🔐 Encryption & Secure Storage
- **VeraCrypt** - Full disk encryption and encrypted containers
- Threat: Physical device seizure, data theft
- Status: Already in use
- Source: https://veracrypt.fr
- Platform: Cross-platform
- **age** - Modern file encryption (simpler than GPG)
- Threat: Sensitive files at rest
- Source: https://github.com/FiloSottile/age
- Platform: Cross-platform, Go binary
- **Cryptomator** - Client-side cloud storage encryption
- Threat: Cloud provider access to files
- Source: https://cryptomator.org
- Platform: Cross-platform
## 📡 Secure Communication
- **Signal Desktop** - E2E encrypted messaging
- Threat: Message interception, surveillance
- Source: https://signal.org
- Platform: Linux (official .deb)
- **SimpleX** - E2E encrypted messaging without identifiers
- Threat: Metadata correlation, phone number linking
- Status: Already documented in PAI
- Source: https://simplex.chat
- Platform: Cross-platform
- **Jami** - P2P encrypted video/audio calls
- Threat: Centralized communication surveillance
- Source: https://jami.net
- Platform: Cross-platform
## 🌐 Anonymity & Network Privacy
- **Tor Browser** - Anonymous web browsing
- Threat: IP tracking, browser fingerprinting
- Source: https://torproject.org
- Platform: Cross-platform
- **ProtonVPN** - Privacy-focused VPN
- Status: Already installed
- Source: https://protonvpn.com
- Platform: Cross-platform
- **OnionShare** - Anonymous file sharing over Tor
- Threat: File transfer metadata, IP exposure
- Source: https://onionshare.org
- Platform: Cross-platform
## 🔍 Metadata & Privacy Analysis
- **ExifTool** - View/edit metadata in files
- Threat: Understanding what metadata you're leaking
- Source: apt package
- Platform: Cross-platform
- **Sherlock** - Username enumeration across platforms
- Threat: Understanding your digital footprint
- Source: https://github.com/sherlock-project/sherlock
- Platform: Python tool
## 🗑️ Secure Deletion
- **BleachBit** - Secure file deletion and system cleaning
- Threat: Forensic recovery of deleted files
- Source: apt package
- Platform: Linux/Windows
- **shred** - Overwrite files securely
- Threat: File recovery after deletion
- Source: GNU coreutils (already installed)
- Platform: Linux
## 🔒 Password & Secret Management
- **KeePassXC** - Offline password manager
- Status: Already in use
- Source: https://keepassxc.org
- Platform: Cross-platform
- **Bitwarden** - Open source password manager (self-hostable)
- Threat: Password reuse, weak passwords
- Source: https://bitwarden.com
- Platform: Cross-platform + self-hosted
## 📧 Email Privacy
- **Thunderbird + Enigmail** - PGP email encryption
- Threat: Email content surveillance
- Source: apt package
- Platform: Cross-platform
- **ProtonMail Bridge** - Use ProtonMail with desktop clients
- Threat: Email metadata, provider access
- Source: https://proton.me
- Platform: Cross-platform
## 🛡️ System Hardening
- **firejail** - Application sandboxing
- Threat: Application exploits compromising system
- Source: apt package
- Platform: Linux
- **AppArmor** - Mandatory Access Control
- Threat: Privilege escalation
- Source: Built into Debian
- Platform: Linux
## 🌐 DNS Privacy
- **dnscrypt-proxy** - Encrypted DNS queries
- Threat: DNS surveillance, ISP tracking
- Source: https://github.com/DNSCrypt/dnscrypt-proxy
- Platform: Cross-platform
- **Unbound** - Validating DNS resolver
- Threat: DNS spoofing, MITM
- Source: apt package
- Platform: Linux
## 📱 Mobile Companion Tools
- **scrcpy** - Control Android via ADB (for testing privacy apps)
- Source: apt package
- Platform: Linux/Windows/macOS
## 🎯 Priority Tools (Install First)
1. Dangerzone - Document sanitization
2. mat2 - Metadata removal
3. Signal Desktop - Secure messaging
4. Tor Browser - Anonymous browsing
5. BleachBit - Secure deletion
6. firejail - App sandboxing
## 📁 Repository Structure Proposal
```
privacy-toolkit/
├── README.md # Overview, threat model intro
├── install.sh # Master handler script
├── tools/
│ ├── dangerzone/
│ │ ├── install.sh # Individual install script
│ │ ├── README.md # What it does, why you need it
│ │ └── verify.sh # Post-install verification
│ ├── mat2/
│ │ ├── install.sh
│ │ ├── README.md
│ │ └── examples/ # Usage examples
│ ├── signal-desktop/
│ └── tor-browser/
├── categories.md # Tools organized by threat model
├── threat-models.md # Common threat scenarios
└── docs/
├── installation-guide.md
├── verification-guide.md # How to verify tools work
└── threat-modeling.md # Help users choose tools
```
## 🔧 Installation Script Template
Each tool should have:
- Distro detection (Debian/Ubuntu/Fedora/Arch)
- GPG key verification (with chmod fix for keyrings!)
- Dependency checking
- Version verification
- Post-install testing
- Cleanup on failure
- Usage examples
## 📝 Notes
- Focus on FOSS tools (auditability)
- Prefer official repositories
- Include threat model for each tool
- Provide usage examples
- Link to official documentation
- Security-focused: verify signatures, check hashes

201
install-apt-tools.sh Executable file
View file

@ -0,0 +1,201 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# Privacy Toolkit - APT-based Tools Installation
# ==============================================================================
# Installs all privacy tools available via apt repositories
# ==============================================================================
# Colors
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly BLUE='\033[0;34m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
section() { echo -e "${BLUE}=== $* ===${NC}"; }
# APT-based privacy tools organized by category
declare -A TOOLS=(
# Encryption & Password Management
["keepassxc"]="Offline password manager"
["age"]="Modern file encryption"
# Metadata & Privacy
["mat2"]="Metadata Anonymization Toolkit"
["exiftool"]="EXIF metadata editor"
# Secure Deletion
["shred"]="Secure file overwriting (from coreutils)"
["bleachbit"]="System cleaning and secure deletion"
# Network Privacy & Anonymity
["tor"]="Tor anonymity network daemon"
["torsocks"]="Torify applications"
["onionshare"]="Anonymous file sharing over Tor (GUI)"
["onionshare-cli"]="Anonymous file sharing over Tor (CLI)"
# System Hardening
["firejail"]="Application sandboxing"
# OSINT & Privacy Analysis
["sherlock"]="Username enumeration tool"
)
section "Privacy Toolkit - APT Tools Installation"
echo ""
log "Updating package lists..."
sudo apt update
echo ""
section "Available Privacy Tools"
echo ""
# Show tools
for tool in "${!TOOLS[@]}"; do
echo "$tool - ${TOOLS[$tool]}"
done
echo ""
read -p "Install all tools? [Y/n] " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]] && [[ -n $REPLY ]]; then
log "Installation cancelled"
exit 0
fi
echo ""
section "Installing Tools"
echo ""
# Track installation results
installed=()
already_installed=()
failed=()
for tool in "${!TOOLS[@]}"; do
if dpkg -l | grep -q "^ii $tool "; then
log "$tool already installed"
already_installed+=("$tool")
else
log "Installing $tool..."
if sudo apt install -y "$tool" 2>&1 | grep -q "Unable to locate package"; then
warn "$tool not available in repositories"
failed+=("$tool")
else
log "$tool installed"
installed+=("$tool")
fi
fi
done
echo ""
section "Installation Summary"
echo ""
if [ ${#installed[@]} -gt 0 ]; then
echo "✅ Newly installed (${#installed[@]}):"
for tool in "${installed[@]}"; do
echo "$tool"
done
echo ""
fi
if [ ${#already_installed[@]} -gt 0 ]; then
echo "✓ Already installed (${#already_installed[@]}):"
for tool in "${already_installed[@]}"; do
echo "$tool"
done
echo ""
fi
if [ ${#failed[@]} -gt 0 ]; then
echo "⚠ Failed/Not available (${#failed[@]}):"
for tool in "${failed[@]}"; do
echo "$tool"
done
echo ""
fi
section "Versions"
echo ""
# Show versions for key tools
echo "OnionShare: $(apt-cache policy onionshare | grep Candidate | awk '{print $2}')"
echo "Tor: $(apt-cache policy tor | grep Candidate | awk '{print $2}')"
echo "mat2: $(dpkg -l | grep "^ii mat2 " | awk '{print $3}' || echo 'not installed')"
echo "KeePassXC: $(dpkg -l | grep "^ii keepassxc " | awk '{print $3}' || echo 'not installed')"
echo ""
section "Quick Usage Examples"
echo ""
cat << 'USAGE'
OnionShare:
# Share a file anonymously
onionshare-cli /path/to/file
# Receive files anonymously
onionshare-cli --receive
mat2:
# Remove metadata from file
mat2 document.pdf
# Clean entire directory
mat2 --inplace *.jpg
Tor + torsocks:
# Run command through Tor
torsocks curl https://check.torproject.org/
# Torify an application
torsocks firefox
firejail:
# Sandbox an application
firejail firefox
# Sandbox with no network
firejail --net=none risky-app
ExifTool:
# View metadata
exiftool image.jpg
# Strip all metadata
exiftool -all= image.jpg
KeePassXC:
# Launch GUI
keepassxc
# CLI (if available)
keepassxc-cli
age:
# Generate key
age-keygen -o key.txt
# Encrypt file
age -e -r <public-key> file.txt > file.txt.age
# Decrypt file
age -d -i key.txt file.txt.age > file.txt
USAGE
echo ""
section "Installation Complete!"
echo ""
log "📚 For detailed usage, see:"
log " - OnionShare: https://docs.onionshare.org/"
log " - Tor: https://tb-manual.torproject.org/"
log " - mat2: https://0xacab.org/jvoisin/mat2"
log " - KeePassXC: https://keepassxc.org/docs/"
echo ""

62
tools/age/install.sh Executable file
View file

@ -0,0 +1,62 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# Age Installation Script
# ==============================================================================
# Installs age - Modern, simple file encryption
#
# Threat Model:
# - Files at rest without encryption (laptop theft, cloud breaches)
# - GPG complexity leading to misconfiguration
# - Key management nightmares
#
# Why Age over GPG:
# - Simple: One algorithm, no configuration options
# - Modern: ChaCha20-Poly1305 encryption
# - Small: Tiny keys and ciphertext overhead
# - Fast: Optimized for modern processors
#
# Source: https://github.com/FiloSottile/age
# ==============================================================================
# Colors
readonly GREEN='\033[0;32m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
echo "=== Age Installation ==="
echo ""
log "Installing age from Debian repository..."
sudo apt update
sudo apt install -y age
echo ""
log "Verifying installation..."
age --version
echo ""
echo "=== Installation Complete ==="
echo ""
echo "Quick Start:"
echo ""
echo " Generate a key pair:"
echo " age-keygen -o key.txt"
echo " # Save this file securely! It's your private key"
echo ""
echo " Encrypt a file:"
echo " age -e -r \$(cat key.txt | grep 'public key' | cut -d: -f2) file.txt > file.txt.age"
echo ""
echo " Or use recipient's public key:"
echo " age -e -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p file.txt > file.txt.age"
echo ""
echo " Decrypt a file:"
echo " age -d -i key.txt file.txt.age > file.txt"
echo ""
echo " Password-based encryption (no keys needed):"
echo " age -p file.txt > file.txt.age"
echo " age -d file.txt.age > file.txt"
echo ""
echo "📖 Documentation: https://github.com/FiloSottile/age"

103
tools/cloudflare-warp/install.sh Executable file
View file

@ -0,0 +1,103 @@
#!/usr/bin/env bash
#################################################################################
# Cloudflare WARP Installation Script
#
# Installs Cloudflare WARP client for encrypted DNS and private routing
#
# Features:
# - Encrypted DNS (1.1.1.1 with WARP)
# - Optional VPN-like routing through Cloudflare network
# - Prevents ISP DNS snooping
#
# Usage modes:
# - warp-cli connect # Connect to WARP
# - warp-cli disconnect # Disconnect
# - warp-cli status # Check status
# - warp-cli set-mode warp # Full WARP (VPN-like)
# - warp-cli set-mode doh # DNS-over-HTTPS only
#
# Note: Free tier available, paid WARP+ for faster speeds
#################################################################################
set -euo pipefail
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
CYAN='\033[0;36m'
NC='\033[0m'
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${CYAN} Cloudflare WARP Installation${NC}"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
# Check if already installed
if command -v warp-cli &>/dev/null; then
echo -e "${YELLOW}Cloudflare WARP is already installed${NC}"
warp-cli --version
echo ""
read -p "Reinstall? [y/N] " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
echo -e "${GREEN}Skipping installation${NC}"
exit 0
fi
fi
# Detect distro
if [[ -f /etc/os-release ]]; then
. /etc/os-release
DISTRO_ID="${ID:-unknown}"
DISTRO_CODENAME="${VERSION_CODENAME:-$(lsb_release -cs 2>/dev/null || echo 'unknown')}"
else
echo -e "${RED}Cannot detect distribution${NC}"
exit 1
fi
echo -e "${GREEN}Detected:${NC} $DISTRO_ID ($DISTRO_CODENAME)"
echo ""
# Handle Debian trixie/sid -> use bookworm packages
case "$DISTRO_CODENAME" in
trixie|sid|testing)
echo -e "${YELLOW}Note: Using bookworm packages for $DISTRO_CODENAME${NC}"
DISTRO_CODENAME="bookworm"
;;
esac
# Add Cloudflare GPG key
echo -e "${GREEN}[1/4]${NC} Adding Cloudflare GPG key..."
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
# Fix permissions (must be world-readable for apt)
sudo chmod 644 /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
# Add repository
echo -e "${GREEN}[2/4]${NC} Adding Cloudflare repository..."
echo "deb [signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ ${DISTRO_CODENAME} main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list > /dev/null
# Update and install
echo -e "${GREEN}[3/4]${NC} Updating package lists..."
sudo apt-get update
echo -e "${GREEN}[4/4]${NC} Installing cloudflare-warp..."
sudo apt-get install -y cloudflare-warp
echo ""
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${GREEN}${NC} Cloudflare WARP installed successfully"
echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
echo -e "${YELLOW}First-time setup:${NC}"
echo -e " ${CYAN}warp-cli registration new${NC} # Register device (one-time)"
echo -e " ${CYAN}warp-cli connect${NC} # Connect to WARP"
echo ""
echo -e "${YELLOW}Common commands:${NC}"
echo -e " ${CYAN}warp-cli status${NC} # Check connection status"
echo -e " ${CYAN}warp-cli disconnect${NC} # Disconnect"
echo -e " ${CYAN}warp-cli set-mode doh${NC} # DNS-over-HTTPS only (no VPN)"
echo -e " ${CYAN}warp-cli set-mode warp${NC} # Full WARP routing"
echo ""

67
tools/croc/install.sh Executable file
View file

@ -0,0 +1,67 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# Croc Installation Script
# ==============================================================================
# Installs croc - Secure, fast file transfer tool
#
# Threat Model:
# - Insecure file transfer methods (email, Dropbox, USB drives)
# - Cloud storage snooping and data breaches
# - Man-in-the-middle attacks during file transfer
# - Metadata exposure in file sharing
#
# How Croc Protects:
# - End-to-end encryption using PAKE (Password Authenticated Key Exchange)
# - No account or login required
# - Direct peer-to-peer transfer (optional relay for NAT traversal)
# - Automatic compression
# - Resume capability for interrupted transfers
#
# Source: https://github.com/schollz/croc
# ==============================================================================
# Colors
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
echo "=== Croc Installation ==="
echo ""
log "Downloading and installing croc..."
curl https://getcroc.schollz.com | bash
echo ""
log "Verifying installation..."
if command -v croc >/dev/null 2>&1; then
log "✅ Croc installed successfully!"
croc --version
else
warn "Croc not found in PATH - may need to add ~/.local/bin to PATH"
exit 1
fi
echo ""
echo "=== Installation Complete ==="
echo ""
echo "Usage Examples:"
echo ""
echo " Send a file:"
echo " croc send myfile.pdf"
echo " # Share the code phrase with recipient"
echo ""
echo " Receive a file:"
echo " croc 1234-code-word-phrase"
echo ""
echo " Send entire directory:"
echo " croc send /path/to/folder"
echo ""
echo " Custom code phrase:"
echo " croc send --code my-secret-phrase file.txt"
echo ""
echo "📖 Documentation: https://github.com/schollz/croc"

112
tools/cryptomator/VERIFICATION.md Normal file
View file

@ -0,0 +1,112 @@
# Cryptomator Installation Verification Guide
## 🔐 Verify Before Installing
**ALWAYS verify cryptographic signatures and checksums before installing security software!**
### Step 1: Download Files
Download both the .deb package AND the .asc signature file from:
https://github.com/cryptomator/cryptomator/releases
Example for version 1.18.0:
```bash
wget https://github.com/cryptomator/cryptomator/releases/download/1.18.0/cryptomator_1.18.0-0ppa1_amd64.deb
wget https://github.com/cryptomator/cryptomator/releases/download/1.18.0/cryptomator_1.18.0-0ppa1_amd64.deb.asc
```
### Step 2: Import Cryptomator GPG Key
```bash
# Import the official Cryptomator release key
gpg --keyserver keyserver.ubuntu.com --recv-keys 615D449FE6E6A235
# Verify the fingerprint matches official:
gpg --fingerprint 58117AFA1F85B3EEC154677D615D449FE6E6A235
```
**Expected fingerprint:**
```
5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235
```
**If the fingerprint doesn't match, DO NOT INSTALL!**
### Step 3: Verify SHA256 Checksum
Get the SHA256 from the GitHub release page, then verify:
```bash
sha256sum -c <<< "9fcb87e21ef563820930fdc42daff6d0c9c1b1d7b8b6e8ab6d47c8d7fdee625d cryptomator_1.18.0-0ppa1_amd64.deb"
```
Expected output:
```
cryptomator_1.18.0-0ppa1_amd64.deb: OK
```
### Step 4: Verify GPG Signature
```bash
gpg --verify cryptomator_1.18.0-0ppa1_amd64.deb.asc cryptomator_1.18.0-0ppa1_amd64.deb
```
Expected output:
```
gpg: Good signature from "Cryptobot <releases@cryptomator.org>" [unknown]
```
**The "unknown" trust is fine** - it just means you haven't personally signed their key. The important parts:
- ✅ "Good signature"
- ✅ Fingerprint matches official
- ✅ Signature date is reasonable (not from years ago)
### Step 5: Install
```bash
sudo dpkg -i cryptomator_1.18.0-0ppa1_amd64.deb
```
## 🚨 Red Flags (DO NOT INSTALL if you see these)
- ❌ Fingerprint mismatch
- ❌ "BAD signature"
- ❌ "No public key" (key import failed)
- ❌ Checksum mismatch
- ❌ Can't download .asc file (unsigned package)
## 📖 Official Resources
- Release Downloads: https://github.com/cryptomator/cryptomator/releases
- GPG Key Info: https://github.com/cryptomator/cryptomator/blob/develop/GPG-KEY.md
- Security Advisory: https://cryptomator.org/security/
## ✅ Verification Example (Real Output)
```
sha256sum -c <<< "9fcb87e21ef563820930fdc42daff6d0c9c1b1d7b8b6e8ab6d47c8d7fdee625d cryptomator_1.18.0-0ppa1_amd64.deb"
cryptomator_1.18.0-0ppa1_amd64.deb: OK
gpg --fingerprint 58117AFA1F85B3EEC154677D615D449FE6E6A235
pub rsa4096 2020-08-18 [SC] [expires: 2031-01-01]
5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235
uid [ unknown] Cryptobot <releases@cryptomator.org>
gpg --verify cryptomator_1.18.0-0ppa1_amd64.deb.asc cryptomator_1.18.0-0ppa1_amd64.deb
gpg: Signature made Wed 12 Nov 2025 09:29:25 AM MST
gpg: using RSA key 58117AFA1F85B3EEC154677D615D449FE6E6A235
gpg: Good signature from "Cryptobot <releases@cryptomator.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235
```
✅ All checks passed - safe to install!
---
**Remember**: This verification process protects you from:
- Corrupted downloads
- Man-in-the-middle attacks
- Compromised mirrors
- Trojanized packages

125
tools/cryptomator/install.sh Executable file
View file

@ -0,0 +1,125 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# Cryptomator Installation Script
# ==============================================================================
# Installs Cryptomator - Client-side cloud storage encryption
#
# Threat Model:
# - Cloud provider snooping (Dropbox, Google Drive, etc.)
# - Data breaches exposing cloud files
# - Government data requests to cloud providers
# - Cloud employee access to files
#
# How Cryptomator Protects:
# - Client-side encryption before files leave your computer
# - Zero-knowledge: Cloud provider can't decrypt files
# - Encrypts filenames and directory structure
# - Works with any cloud provider (Dropbox, GDrive, OneDrive, etc.)
#
# Source: https://cryptomator.org/
# ==============================================================================
# Colors
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly RED='\033[0;31m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; }
echo "=== Cryptomator Installation ==="
echo ""
echo "Choose installation method:"
echo " 1) .deb package (recommended - better system integration)"
echo " 2) AppImage (portable, works across distros)"
echo ""
read -p "Enter choice [1-2]: " choice
case $choice in
1)
log "Installing Cryptomator .deb package..."
# Get latest release
log "Fetching latest release..."
LATEST_URL=$(curl -s https://api.github.com/repos/cryptomator/cryptomator/releases/latest \
| grep "browser_download_url.*amd64.deb" \
| cut -d '"' -f 4)
if [ -z "$LATEST_URL" ]; then
error "Could not find latest .deb package"
fi
log "Downloading from: $LATEST_URL"
cd /tmp
wget -O cryptomator.deb "$LATEST_URL"
log "Installing .deb package..."
sudo apt install -y ./cryptomator.deb
rm cryptomator.deb
log "✅ Cryptomator .deb installed"
;;
2)
log "Installing Cryptomator AppImage..."
# Get latest AppImage
log "Fetching latest release..."
LATEST_URL=$(curl -s https://api.github.com/repos/cryptomator/cryptomator/releases/latest \
| grep "browser_download_url.*x86_64.AppImage\"" \
| cut -d '"' -f 4)
if [ -z "$LATEST_URL" ]; then
error "Could not find latest AppImage"
fi
log "Downloading from: $LATEST_URL"
mkdir -p ~/.local/bin
cd ~/.local/bin
wget -O Cryptomator.AppImage "$LATEST_URL"
chmod +x Cryptomator.AppImage
# Create desktop entry
log "Creating desktop entry..."
mkdir -p ~/.local/share/applications
cat > ~/.local/share/applications/cryptomator.desktop << 'DESKTOP'
[Desktop Entry]
Name=Cryptomator
Exec=$HOME/.local/bin/Cryptomator.AppImage
Icon=cryptomator
Type=Application
Categories=Utility;Security;
DESKTOP
log "✅ Cryptomator AppImage installed to ~/.local/bin/Cryptomator.AppImage"
;;
*)
error "Invalid choice"
;;
esac
echo ""
log "Verifying installation..."
if command -v cryptomator >/dev/null 2>&1 || [ -f ~/.local/bin/Cryptomator.AppImage ]; then
log "✅ Cryptomator installed successfully!"
else
warn "Installation verification failed"
fi
echo ""
echo "=== Installation Complete ==="
echo ""
echo "Usage:"
echo " 1. Launch Cryptomator from application menu"
echo " 2. Create a new vault in your cloud storage folder"
echo " 3. Set a strong password"
echo " 4. Unlock vault and mount it"
echo " 5. Copy files into mounted vault"
echo " 6. Files are encrypted before sync to cloud!"
echo ""
echo "📖 Documentation: https://docs.cryptomator.org/"

115
tools/dangerzone/README.md Normal file
View file

@ -0,0 +1,115 @@
# Dangerzone - Document Sanitization
**Convert potentially dangerous PDFs and Office documents into safe PDFs**
## 🎯 Threat Model
### What Problem Does This Solve?
PDF and Office documents can contain:
- Embedded malware and exploits
- Tracking beacons that phone home when opened
- Active content (JavaScript, macros) that can compromise your system
- Hidden layers and metadata
Opening untrusted documents is a **major attack vector**.
### How Dangerzone Protects You
1. **Container Isolation**: Opens document in a disposable container
2. **Pixel Conversion**: Renders each page to pixels (destroying any code)
3. **Safe Reconstruction**: Rebuilds a clean PDF from the pixels
4. **Metadata Stripping**: Removes all potentially identifying metadata
Result: A safe, pixel-perfect copy of the document without any embedded threats.
## 🚀 Installation
```bash
cd ~/github/privacy-toolkit
./tools/dangerzone/install.sh
```
Or run directly:
```bash
bash <(curl -s https://raw.githubusercontent.com/YOUR_USERNAME/privacy-toolkit/main/tools/dangerzone/install.sh)
```
## 📖 Usage
### GUI Method
1. Launch "Dangerzone" from your application menu
2. Drag and drop a PDF or Office document
3. Wait for sanitization (can take a few minutes for large docs)
4. Get your safe PDF
### Right-Click Method
1. Right-click any PDF file
2. Select "Open with Dangerzone"
3. Sanitized PDF will be created in the same directory
### Command Line
```bash
# Sanitize a PDF
dangerzone document.pdf
# Sanitize multiple files
dangerzone file1.pdf file2.docx file3.xlsx
# Specify output directory
dangerzone -o /safe/directory document.pdf
```
## 🔍 When to Use Dangerzone
**Always sanitize:**
- ✅ Documents from email attachments
- ✅ Downloads from the internet
- ✅ Documents from USB drives
- ✅ Any document from untrusted sources
- ✅ Journalist source materials
- ✅ Legal documents from unknown parties
**Less critical:**
- Documents you created yourself
- Documents from verified, trusted colleagues (but still good practice!)
## ⚠️ Limitations
- **File Size**: Dangerzone creates larger files (pixel-based PDFs)
- **Processing Time**: Can be slow for large documents (requires rendering)
- **Text Selection**: Text becomes images (not searchable/selectable)
- **Forms**: Interactive PDF forms become static
**Trade-off**: Security vs. convenience. Dangerzone prioritizes security.
## 🛠️ Technical Details
**Architecture:**
- Uses Podman or Docker for containerization
- Runs untrusted code in isolated sandbox
- Converts to pixels using LibreOffice/GraphicsMagick
- Rebuilds PDF using safe rendering engine
**Supported Formats:**
- PDF
- Microsoft Office: .docx, .xlsx, .pptx
- LibreOffice: .odt, .ods, .odp
## 🔗 Resources
- Official Website: https://dangerzone.rocks/
- Source Code: https://github.com/freedomofpress/dangerzone
- Freedom of the Press Foundation: https://freedom.press/
## 🤝 Related Tools
- **mat2**: Metadata removal (keeps documents editable)
- **ExifCleaner**: Quick metadata stripping
- **Qubes OS**: Full system isolation for maximum security
---
**Maintained by**: Freedom of the Press Foundation
**License**: AGPL-3.0
**Last Updated**: 2025-11-12

138
tools/dangerzone/install.sh Executable file
View file

@ -0,0 +1,138 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# Dangerzone Installation Script
# ==============================================================================
# Installs Dangerzone - PDF/Office document sanitizer using container isolation
#
# Threat Model:
# - Malicious PDF/Office documents with embedded exploits
# - Opening untrusted documents can compromise your system
# - Dangerzone converts documents in isolated containers, then re-renders
# them safely, removing any potential malware
#
# Source: Freedom of the Press Foundation
# Official Docs: https://dangerzone.rocks/
# ==============================================================================
# Colors
readonly RED='\033[0;31m'
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; }
# Detect distro
detect_distro() {
if [ -f /etc/os-release ]; then
. /etc/os-release
echo "$ID"
else
error "Cannot detect distribution"
fi
}
# Install for Debian/Ubuntu
install_debian() {
log "Installing Dangerzone for Debian/Ubuntu..."
# Install prerequisites
log "Installing prerequisites..."
sudo apt-get update
sudo apt-get install -y gpg ca-certificates
# Create keyrings directory
sudo mkdir -p /etc/apt/keyrings
# Download and add GPG key
log "Adding Freedom of the Press Foundation GPG key..."
sudo gpg --keyserver hkps://keys.openpgp.org \
--no-default-keyring --no-permission-warning --homedir $(mktemp -d) \
--keyring gnupg-ring:/etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg \
--recv-keys DE28AB241FA48260FAC9B8BAA7C9B38522604281
# FIX: Make keyring world-readable so APT can verify signatures
log "Fixing keyring permissions..."
sudo chmod 644 /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
# Add repository
log "Adding Dangerzone repository..."
. /etc/os-release
echo "deb [signed-by=/etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg] \
https://packages.freedom.press/apt-tools-prod ${VERSION_CODENAME?} main" \
| sudo tee /etc/apt/sources.list.d/fpf-apt-tools.list
# Install Dangerzone
log "Installing Dangerzone..."
sudo apt update
sudo apt install -y dangerzone
log "✅ Dangerzone installed successfully!"
}
# Install for Fedora
install_fedora() {
warn "Fedora installation not yet implemented"
error "Please install manually: https://dangerzone.rocks/"
}
# Verify installation
verify_installation() {
log "Verifying installation..."
if command -v dangerzone >/dev/null 2>&1; then
log "✅ Dangerzone command found"
dangerzone --version || true
else
error "Dangerzone not found in PATH"
fi
# Check if container runtime is available
if command -v podman >/dev/null 2>&1; then
log "✅ Podman available (container runtime)"
elif command -v docker >/dev/null 2>&1; then
log "✅ Docker available (container runtime)"
else
warn "No container runtime found - Dangerzone may not work"
fi
}
# Main
main() {
echo "=== Dangerzone Installation ==="
echo ""
DISTRO=$(detect_distro)
log "Detected distribution: $DISTRO"
case "$DISTRO" in
debian|ubuntu)
install_debian
;;
fedora)
install_fedora
;;
*)
error "Unsupported distribution: $DISTRO"
;;
esac
echo ""
verify_installation
echo ""
echo "=== Installation Complete ==="
echo ""
echo "Usage:"
echo " 1. Launch from application menu: 'Dangerzone'"
echo " 2. Or right-click any PDF → 'Open with Dangerzone'"
echo " 3. Or from terminal: dangerzone /path/to/document.pdf"
echo ""
echo "📖 Documentation: https://dangerzone.rocks/"
}
main "$@"

85
tools/frame/README.md Normal file
View file

@ -0,0 +1,85 @@
# Frame Wallet
Privacy-focused, system-wide web3 wallet for Linux.
## What is Frame?
Frame is a native OS-level wallet that provides:
- Hardware wallet support (Ledger, Trezor, GridPlus Lattice)
- Multi-chain support (Ethereum, Optimism, Arbitrum, Polygon, etc.)
- System tray integration
- No browser extension required
- Open source and auditable
## Why Frame?
**Privacy Benefits:**
- No tracking or analytics
- Open source (MIT license)
- No account required
- Works offline for signing
**Security Benefits:**
- Hardware wallet isolation from browser
- Native OS process (not a browser extension)
- System-level permission model
- No extension attack surface
## Installation
```bash
./install.sh
```
This will:
1. Install Frame from official sources
2. Create X11-mode launcher at `~/bin/frame`
3. Create desktop entry with proper Electron flags
## Display Compatibility
Frame is an Electron app. The install script forces X11 mode for stability:
```bash
--ozone-platform=x11 # Force X11 (Wayland has issues)
```
If you want to try Wayland, edit `~/bin/frame` and use:
- Auto-detect: `--ozone-platform-hint=auto`
- Pure Wayland: `--enable-features=UseOzonePlatform --ozone-platform=wayland`
## Usage
```bash
frame # Launch Frame
```
Then:
1. Click the Frame icon in system tray
2. Add accounts (hot wallet or hardware)
3. Connect to dapps via Frame's injected provider
## Hardware Wallet Setup
### Ledger
1. Install Ledger Live and update firmware
2. Install Ethereum app on Ledger
3. Enable "Blind signing" in Ethereum app settings
4. Connect Ledger and unlock
5. Frame will detect it automatically
### Trezor
1. Update Trezor firmware via Trezor Suite
2. Connect Trezor
3. Frame will prompt for PIN
### GridPlus Lattice
1. Pair Lattice via Frame settings
2. Frame connects over network
## Resources
- [Frame Website](https://frame.sh/)
- [Documentation](https://docs.frame.sh/)
- [GitHub](https://github.com/floating/frame)
- [Discord](https://discord.gg/frame)

176
tools/frame/install.sh Executable file
View file

@ -0,0 +1,176 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# Frame Wallet Installation Script
# ==============================================================================
# Installs Frame - A privacy-focused, system-wide web3 wallet
#
# Features:
# - Hardware wallet support (Ledger, Trezor, GridPlus)
# - Multi-chain support (Ethereum, Optimism, Arbitrum, etc.)
# - Native OS integration (system tray, browser extension not required)
# - Privacy-focused (no tracking, open source)
#
# Threat Model:
# - Protects against browser extension attacks
# - Hardware wallet isolation from browser
# - No phone-home or analytics
# - Open source and auditable
#
# Source: https://frame.sh/
# GitHub: https://github.com/floating/frame
# ==============================================================================
# Colors
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly RED='\033[0;31m'
readonly BLUE='\033[0;34m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; }
header() { echo -e "${BLUE}=== $* ===${NC}"; }
header "Frame Wallet Installation"
echo ""
echo "Frame is a privacy-focused system-wide web3 wallet"
echo ""
echo "This script will:"
echo " 1. Install Frame from official .deb package"
echo " 2. Create launcher with Wayland compatibility"
echo " 3. Add desktop entry with proper Electron flags"
echo ""
read -p "Continue? [Y/n]: " confirm
[[ "${confirm:-Y}" =~ ^[Nn] ]] && exit 0
# ==============================================================================
# Check if already installed
# ==============================================================================
if command -v frame &>/dev/null; then
log "Frame is already installed at $(which frame)"
echo ""
read -p "Reinstall/update? [y/N]: " reinstall
[[ ! "${reinstall:-N}" =~ ^[Yy] ]] && exit 0
fi
# ==============================================================================
# Install Frame
# ==============================================================================
header "Installing Frame"
# Method 1: Try apt repository first
log "Checking for Frame in apt..."
if apt-cache show frame &>/dev/null 2>&1; then
log "Installing from apt repository..."
sudo apt update
sudo apt install -y frame
else
# Method 2: Download .deb from GitHub releases
log "Downloading from GitHub releases..."
LATEST_URL=$(curl -s https://api.github.com/repos/floating/frame/releases/latest \
| grep "browser_download_url.*amd64.deb" \
| cut -d '"' -f 4 \
| head -1)
if [ -z "$LATEST_URL" ]; then
error "Could not find latest Frame .deb release"
fi
log "Downloading from: $LATEST_URL"
cd /tmp
curl -L -o frame.deb "$LATEST_URL"
log "Installing .deb package..."
sudo apt install -y ./frame.deb
rm frame.deb
fi
# ==============================================================================
# Create X11 Launcher (Wayland has issues with Electron)
# ==============================================================================
header "Creating X11 Launcher"
mkdir -p ~/bin
cat > ~/bin/frame << 'EOF'
#!/bin/bash
# Frame launcher - Force X11 for stability (Wayland has issues with Electron)
exec /opt/Frame/frame --ozone-platform=x11 "$@"
EOF
chmod +x ~/bin/frame
log "Created ~/bin/frame launcher"
# ==============================================================================
# Create desktop entry
# ==============================================================================
header "Creating Desktop Entry"
mkdir -p ~/.local/share/applications
cat > ~/.local/share/applications/frame.desktop << 'EOF'
[Desktop Entry]
Name=Frame
Comment=System-wide web3 wallet
Exec=/home/e/bin/frame %U
Terminal=false
Type=Application
Icon=frame
StartupWMClass=Frame
Categories=Utility;Finance;
EOF
# Update icon path
sed -i "s|/home/e|$HOME|g" ~/.local/share/applications/frame.desktop
log "Created desktop entry"
# ==============================================================================
# Verify Installation
# ==============================================================================
header "Verifying Installation"
echo ""
if [ -f /opt/Frame/frame ]; then
echo " ✅ Frame binary installed at /opt/Frame/frame"
else
echo " ❌ Frame binary not found"
fi
if [ -f ~/bin/frame ]; then
echo " ✅ Wayland launcher created at ~/bin/frame"
else
echo " ❌ Launcher not created"
fi
if [ -f ~/.local/share/applications/frame.desktop ]; then
echo " ✅ Desktop entry created"
else
echo " ❌ Desktop entry not created"
fi
# ==============================================================================
# Usage Instructions
# ==============================================================================
echo ""
header "Installation Complete"
echo ""
echo "Usage:"
echo " frame - Launch Frame wallet"
echo ""
echo "Features:"
echo " - Connect hardware wallets (Ledger, Trezor, GridPlus)"
echo " - Multi-chain support (ETH, OP, ARB, MATIC, etc.)"
echo " - System tray integration"
echo " - Privacy-focused (no tracking)"
echo ""
echo "Wayland Notes:"
echo " - Launcher uses --ozone-platform-hint=auto for auto-detection"
echo " - Edit ~/bin/frame if you need to force X11 or Wayland mode"
echo ""
echo "📖 Documentation: https://docs.frame.sh/"
echo "🔗 GitHub: https://github.com/floating/frame"

155
tools/librewolf/install.sh Executable file
View file

@ -0,0 +1,155 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# LibreWolf Browser Installation
# ==============================================================================
# Privacy-focused Firefox fork with enhanced security defaults
# - No telemetry
# - uBlock Origin pre-installed
# - Enhanced tracking protection
# - Privacy-respecting search defaults
# ==============================================================================
# Colors
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly BLUE='\033[0;34m'
readonly RED='\033[0;31m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*"; }
section() { echo -e "${BLUE}=== $* ===${NC}"; }
section "LibreWolf Browser Installation"
echo ""
# Check if already installed
if command -v librewolf &>/dev/null; then
log "LibreWolf already installed: $(librewolf --version 2>/dev/null | head -1 || echo 'version check failed')"
read -p "Reinstall/upgrade? [y/N] " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
log "Skipping installation"
exit 0
fi
fi
# Detect distro
if [ -f /etc/os-release ]; then
. /etc/os-release
DISTRO="${ID:-unknown}"
DISTRO_VERSION="${VERSION_CODENAME:-${VERSION_ID:-unknown}}"
else
error "Cannot detect distribution"
exit 1
fi
log "Detected: $DISTRO $DISTRO_VERSION"
case "$DISTRO" in
debian|ubuntu|linuxmint|pop)
section "Installing via LibreWolf APT Repository"
# Install dependencies
log "Installing dependencies..."
sudo apt update
sudo apt install -y curl gnupg lsb-release apt-transport-https ca-certificates
# Add LibreWolf repo
log "Adding LibreWolf repository..."
# Get the distro codename (LibreWolf uses Debian/Ubuntu codenames)
if [[ "$DISTRO" == "debian" ]]; then
REPO_CODENAME="$DISTRO_VERSION"
elif [[ "$DISTRO" == "ubuntu" || "$DISTRO" == "linuxmint" || "$DISTRO" == "pop" ]]; then
# For Ubuntu derivatives, try to get the Ubuntu base codename
REPO_CODENAME="$DISTRO_VERSION"
else
REPO_CODENAME="bookworm" # Fallback to Debian stable
fi
# Download and add the signing key
curl -fsSL https://deb.librewolf.net/keyring.gpg | sudo gpg --dearmor -o /usr/share/keyrings/librewolf.gpg
# Add the repository
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/librewolf.gpg] https://deb.librewolf.net $REPO_CODENAME main" | \
sudo tee /etc/apt/sources.list.d/librewolf.list > /dev/null
# Update and install
log "Installing LibreWolf..."
sudo apt update
sudo apt install -y librewolf
;;
fedora|rhel|centos)
section "Installing via LibreWolf RPM Repository"
# Add LibreWolf repo
log "Adding LibreWolf repository..."
sudo dnf config-manager --add-repo https://rpm.librewolf.net/librewolf-repo.repo
# Install
log "Installing LibreWolf..."
sudo dnf install -y librewolf
;;
arch|manjaro|endeavouros)
section "Installing via AUR"
if command -v yay &>/dev/null; then
log "Installing via yay..."
yay -S --noconfirm librewolf-bin
elif command -v paru &>/dev/null; then
log "Installing via paru..."
paru -S --noconfirm librewolf-bin
else
warn "No AUR helper found (yay/paru)"
log "Installing librewolf-bin manually..."
cd /tmp
git clone https://aur.archlinux.org/librewolf-bin.git
cd librewolf-bin
makepkg -si --noconfirm
cd ..
rm -rf librewolf-bin
fi
;;
*)
error "Unsupported distribution: $DISTRO"
log "Please install manually from: https://librewolf.net/installation/"
exit 1
;;
esac
# Verify installation
echo ""
if command -v librewolf &>/dev/null; then
section "Installation Complete!"
log "LibreWolf installed successfully"
log "Version: $(librewolf --version 2>/dev/null | head -1 || echo 'check manually')"
echo ""
log "Launch with: librewolf"
log "Documentation: https://librewolf.net/"
else
error "Installation may have failed - librewolf command not found"
exit 1
fi
echo ""
section "Privacy Features Enabled by Default"
echo ""
cat << 'EOF'
- Telemetry completely disabled
- uBlock Origin pre-installed
- Enhanced Tracking Protection (Strict)
- First-party isolation enabled
- Fingerprinting protection enabled
- HTTPS-Only Mode enabled
- WebRTC leak prevention
- Privacy-respecting search (DuckDuckGo default)
EOF
echo ""

140
tools/meeting-record/README.md Normal file
View file

@ -0,0 +1,140 @@
# Meeting Record - Private Voice Recording & Transcription
Local voice recording with live Whisper transcription. **All processing happens on your machine - no cloud APIs, no data leaves your computer.**
## Why This Exists
Most "AI voice recorders" (Plaud Note knockoffs, etc.) are just microphones that send your audio to cloud servers for processing. You're paying for hardware that:
- Sends your private conversations to unknown servers
- Requires monthly subscriptions after free tier
- May store/analyze your data for training or other purposes
- Stops working if the company shuts down
**Meeting Record** does the same thing, but locally. Your audio never leaves your machine.
## Features
- **Continuous recording** - Full audio backup of entire meeting
- **Live transcription** - See transcripts as you speak (10-second chunks)
- **Final transcription** - High-quality full transcription when you stop
- **100% local** - Uses whisper.cpp, no internet required
- **No subscriptions** - Free forever, you own it
## Installation
```bash
./install.sh
```
The installer will:
1. Install system dependencies (ffmpeg, pulseaudio-utils, build tools)
2. Clone and build whisper.cpp
3. Download the Whisper model (base.en by default - fast & good)
4. Install the `meeting-record` scripts to `~/bin/`
### Custom Options
```bash
# Use different model (tiny, base, small, medium, large)
WHISPER_MODEL=small.en ./install.sh
# Custom install location
WHISPER_CPP_DIR=/opt/whisper.cpp ./install.sh
# Custom bin directory
BIN_DIR=/usr/local/bin ./install.sh
```
## Usage
```bash
# Start recording (auto-named with timestamp)
meeting-record
# Named recording
meeting-record "client-call-acme-corp"
# 30-second test to verify setup
meeting-record-test
```
Press **Ctrl+C** to stop recording. The script will:
1. Stop audio capture
2. Generate a high-quality final transcript
3. Show you where all files are saved
## Output Files
After recording a meeting named "client-call", you'll find:
```
~/Recordings/meetings/client-call/
├── full-audio.wav # Complete recording (your backup)
├── live-transcript.txt # Real-time chunked transcription
├── final-transcript.txt # High-quality full transcription
├── chunks/
│ ├── chunk-0000.wav
│ ├── chunk-0001.wav
│ └── ...
└── transcripts/
├── chunk-0000.txt
├── chunk-0001.txt
└── ...
```
## Requirements
- Linux (Debian/Ubuntu/Fedora/Arch)
- PulseAudio or PipeWire (for audio capture)
- ~500MB disk space for whisper.cpp + model
## Model Options
| Model | Size | Speed | Quality | Best For |
|-------|------|-------|---------|----------|
| tiny.en | 75MB | Fastest | Basic | Quick notes |
| base.en | 148MB | Fast | Good | **Recommended** |
| small.en | 488MB | Medium | Better | Important meetings |
| medium.en | 1.5GB | Slow | Great | Accuracy-critical |
| large | 3GB | Slowest | Best | Maximum accuracy |
Change model with: `WHISPER_MODEL=small.en ./install.sh`
## Troubleshooting
**"parecord not found"**
```bash
sudo apt install pulseaudio-utils # Debian/Ubuntu
sudo dnf install pulseaudio-utils # Fedora
```
**"No audio being captured"**
- Check your default audio source: `pactl list sources`
- Make sure microphone is not muted
**"whisper-cli not found"**
- The installer should build this. If it failed, check cmake output
- You can rebuild: `cd ~/opt/whisper.cpp/build && cmake --build .`
**"meeting-record: command not found"**
- Add ~/bin to PATH: `export PATH="$HOME/bin:$PATH"`
- Add this to your `~/.bashrc` or `~/.zshrc`
## Privacy Comparison
| Feature | Cloud AI Recorders | Meeting Record |
|---------|-------------------|----------------|
| Audio processing | Remote servers | Local only |
| Data storage | Their servers | Your disk |
| Internet required | Yes | No |
| Monthly fees | Usually | Never |
| Works offline | No | Yes |
| You control data | No | Yes |
## License
MIT - Do whatever you want with it.
---
*Part of the [Privacy Toolkit](../../README.md) - Tools for digital sovereignty.*

485
tools/meeting-record/install.sh Executable file
View file

@ -0,0 +1,485 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# Meeting Record Installation Script
# ==============================================================================
# Installs meeting-record - Local voice recording with live Whisper transcription
#
# Privacy Model:
# - All audio processing happens locally on YOUR machine
# - Uses whisper.cpp for transcription - no cloud APIs
# - No data leaves your computer, ever
# - Alternative to cloud-based "AI recorders" that harvest your conversations
#
# Features:
# - Continuous audio recording (full backup)
# - Live chunked transcription every 10 seconds
# - Final high-quality transcription on stop
# - Simple CLI interface
#
# Source: PAI (Personal AI Infrastructure)
# ==============================================================================
# Colors
readonly RED='\033[0;31m'
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly BLUE='\033[0;34m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; }
step() { echo -e "${BLUE}[STEP]${NC} $*"; }
# Configuration
WHISPER_CPP_DIR="${WHISPER_CPP_DIR:-$HOME/opt/whisper.cpp}"
WHISPER_MODEL="${WHISPER_MODEL:-base.en}"
BIN_DIR="${BIN_DIR:-$HOME/bin}"
RECORDINGS_DIR="${RECORDINGS_DIR:-$HOME/Recordings/meetings}"
# Detect distro
detect_distro() {
if [ -f /etc/os-release ]; then
. /etc/os-release
echo "$ID"
else
error "Cannot detect distribution"
fi
}
# Install system dependencies
install_dependencies() {
step "Installing system dependencies..."
DISTRO=$(detect_distro)
case "$DISTRO" in
debian|ubuntu|pop)
sudo apt-get update
sudo apt-get install -y \
ffmpeg \
pulseaudio-utils \
build-essential \
git \
cmake
;;
fedora)
sudo dnf install -y \
ffmpeg \
pulseaudio-utils \
gcc-c++ \
git \
cmake
;;
arch|manjaro)
sudo pacman -S --noconfirm \
ffmpeg \
pulseaudio \
base-devel \
git \
cmake
;;
*)
warn "Unknown distro: $DISTRO"
warn "Please manually install: ffmpeg, pulseaudio-utils, build-essential, git, cmake"
;;
esac
log "System dependencies installed"
}
# Build whisper.cpp
install_whisper_cpp() {
step "Installing whisper.cpp..."
if [ -f "$WHISPER_CPP_DIR/build/bin/whisper-cli" ]; then
log "whisper.cpp already installed at $WHISPER_CPP_DIR"
return 0
fi
# Clone if not exists
if [ ! -d "$WHISPER_CPP_DIR" ]; then
log "Cloning whisper.cpp..."
mkdir -p "$(dirname "$WHISPER_CPP_DIR")"
git clone https://github.com/ggerganov/whisper.cpp.git "$WHISPER_CPP_DIR"
fi
cd "$WHISPER_CPP_DIR"
# Build
log "Building whisper.cpp..."
mkdir -p build
cd build
cmake ..
cmake --build . --config Release -j$(nproc)
if [ ! -f "$WHISPER_CPP_DIR/build/bin/whisper-cli" ]; then
error "whisper.cpp build failed - whisper-cli not found"
fi
log "whisper.cpp built successfully"
}
# Download Whisper model
download_model() {
step "Downloading Whisper model ($WHISPER_MODEL)..."
MODEL_FILE="$WHISPER_CPP_DIR/models/ggml-${WHISPER_MODEL}.bin"
if [ -f "$MODEL_FILE" ]; then
log "Model already exists: $MODEL_FILE"
return 0
fi
cd "$WHISPER_CPP_DIR"
# Use the download script
log "Downloading ggml-${WHISPER_MODEL}.bin..."
bash models/download-ggml-model.sh "$WHISPER_MODEL"
if [ ! -f "$MODEL_FILE" ]; then
error "Model download failed"
fi
log "Model downloaded: $MODEL_FILE"
}
# Install meeting-record scripts
install_scripts() {
step "Installing meeting-record scripts..."
mkdir -p "$BIN_DIR"
mkdir -p "$RECORDINGS_DIR"
# Get the directory where this install script lives
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# Install meeting-record
cat > "$BIN_DIR/meeting-record" << 'SCRIPT'
#!/usr/bin/env bash
#
# meeting-record - Live meeting recorder with chunked transcription
#
# Usage:
# meeting-record [meeting-name]
# meeting-record "client-call-acme"
#
# Features:
# - Continuous audio recording (full backup)
# - Live chunked transcription every 10 seconds
# - Uses local Whisper models (privacy-respecting)
# - Separates recording from transcription (robust)
#
# Controls:
# - Ctrl+C to stop recording
#
set -euo pipefail
# Configuration - adjust paths as needed
WHISPER_BIN="${WHISPER_BIN:-$HOME/opt/whisper.cpp/build/bin/whisper-cli}"
WHISPER_MODEL="${WHISPER_MODEL:-$HOME/opt/whisper.cpp/models/ggml-base.en.bin}"
CHUNK_DURATION=10 # seconds
RECORDINGS_DIR="${RECORDINGS_DIR:-$HOME/Recordings/meetings}"
# Validate dependencies
command -v parecord >/dev/null 2>&1 || { echo "Error: parecord not found. Install pulseaudio-utils"; exit 1; }
command -v ffmpeg >/dev/null 2>&1 || { echo "Error: ffmpeg not found"; exit 1; }
[ -f "$WHISPER_BIN" ] || { echo "Error: whisper-cli not found at $WHISPER_BIN"; exit 1; }
[ -f "$WHISPER_MODEL" ] || { echo "Error: Whisper model not found at $WHISPER_MODEL"; exit 1; }
# Meeting name from argument or auto-generate
MEETING_NAME="${1:-meeting-$(date +%Y%m%d-%H%M%S)}"
MEETING_DIR="$RECORDINGS_DIR/$MEETING_NAME"
# Create directory structure
mkdir -p "$MEETING_DIR"/{chunks,transcripts}
# File paths
FULL_AUDIO="$MEETING_DIR/full-audio.wav"
LIVE_TRANSCRIPT="$MEETING_DIR/live-transcript.txt"
FINAL_TRANSCRIPT="$MEETING_DIR/final-transcript.txt"
PID_FILE="$MEETING_DIR/.recording.pid"
CHUNK_INDEX_FILE="$MEETING_DIR/.chunk_index"
# Initialize chunk index
echo "0" > "$CHUNK_INDEX_FILE"
# Cleanup function
cleanup() {
echo ""
echo "Stopping recording..."
# Kill all child processes
pkill -P $$ 2>/dev/null || true
# Kill from PID file
if [ -f "$PID_FILE" ]; then
while read -r PID; do
kill "$PID" 2>/dev/null || true
done < "$PID_FILE"
rm -f "$PID_FILE"
fi
echo "Generating final transcript..."
"$WHISPER_BIN" \
-m "$WHISPER_MODEL" \
-f "$FULL_AUDIO" \
-otxt \
-of "${FINAL_TRANSCRIPT%.txt}" \
--language en \
--threads 4 \
2>/dev/null || echo "Warning: Final transcription failed"
echo ""
echo "Recording complete!"
echo "Location: $MEETING_DIR"
echo "Audio: $FULL_AUDIO"
echo "Live transcript: $LIVE_TRANSCRIPT"
echo "Final transcript: $FINAL_TRANSCRIPT"
rm -f "$CHUNK_INDEX_FILE"
exit 0
}
trap cleanup INT TERM
# Print header
echo "Meeting Recorder - Live Transcription"
echo "======================================"
echo "Meeting: $MEETING_NAME"
echo "Location: $MEETING_DIR"
echo "Model: $(basename "$WHISPER_MODEL")"
echo "Chunk size: ${CHUNK_DURATION}s"
echo ""
echo "Recording started - Press Ctrl+C to stop"
echo "======================================"
echo ""
# Start continuous audio recording
parecord \
--format=s16le \
--rate=16000 \
--channels=1 \
"$FULL_AUDIO" &
RECORD_PID=$!
echo "$RECORD_PID" > "$PID_FILE"
# Give recording time to start
sleep 1
# Chunk recorder and transcriber loop
while kill -0 $RECORD_PID 2>/dev/null; do
sleep "$CHUNK_DURATION"
CHUNK_NUM=$(cat "$CHUNK_INDEX_FILE")
CHUNK_FILE="$MEETING_DIR/chunks/chunk-$(printf '%04d' $CHUNK_NUM).wav"
TRANSCRIPT_FILE="$MEETING_DIR/transcripts/chunk-$(printf '%04d' $CHUNK_NUM).txt"
# Get duration of current recording
DURATION=$(ffprobe -v error -show_entries format=duration -of default=noprint_wrappers=1:nokey=1 "$FULL_AUDIO" 2>/dev/null || echo "0")
# Handle N/A or invalid duration
if [[ "$DURATION" == "N/A" ]] || [[ ! "$DURATION" =~ ^[0-9.]+$ ]]; then
DURATION="0"
fi
DURATION_INT=${DURATION%.*}
if [ "$DURATION_INT" -ge "$CHUNK_DURATION" ]; then
START_TIME=$((DURATION_INT - CHUNK_DURATION))
# Extract chunk
ffmpeg -ss $START_TIME -i "$FULL_AUDIO" -t $CHUNK_DURATION -c copy "$CHUNK_FILE" -y 2>/dev/null
# Transcribe chunk in background
(
"$WHISPER_BIN" \
-m "$WHISPER_MODEL" \
-f "$CHUNK_FILE" \
-otxt \
-of "$MEETING_DIR/transcripts/chunk-$(printf '%04d' $CHUNK_NUM)" \
--language en \
--threads 2 \
--no-timestamps \
2>/dev/null
if [ -f "$TRANSCRIPT_FILE" ]; then
TIMESTAMP=$(date '+%H:%M:%S')
echo "[$TIMESTAMP] $(cat "$TRANSCRIPT_FILE")" >> "$LIVE_TRANSCRIPT"
echo "[$(date '+%H:%M:%S')] Chunk $CHUNK_NUM transcribed"
fi
) &
echo $((CHUNK_NUM + 1)) > "$CHUNK_INDEX_FILE"
fi
done
cleanup
SCRIPT
chmod +x "$BIN_DIR/meeting-record"
log "Installed: $BIN_DIR/meeting-record"
# Install meeting-record-test
cat > "$BIN_DIR/meeting-record-test" << 'SCRIPT'
#!/usr/bin/env bash
#
# meeting-record-test - Test the meeting recorder for 30 seconds
#
echo "Testing meeting recorder for 30 seconds..."
echo "Please speak during this test so we can verify transcription."
echo ""
# Start recording in background
meeting-record "test-$(date +%Y%m%d-%H%M%S)" &
TEST_PID=$!
# Wait 30 seconds
sleep 30
# Stop recording
kill -INT $TEST_PID 2>/dev/null
# Wait for cleanup
wait $TEST_PID 2>/dev/null
echo ""
echo "Test complete! Check the output above for results."
SCRIPT
chmod +x "$BIN_DIR/meeting-record-test"
log "Installed: $BIN_DIR/meeting-record-test"
}
# Update script to use correct paths
update_paths() {
step "Configuring paths..."
# Update the installed script with correct whisper.cpp path
sed -i "s|\$HOME/opt/whisper.cpp|$WHISPER_CPP_DIR|g" "$BIN_DIR/meeting-record"
log "Paths configured"
}
# Verify installation
verify_installation() {
step "Verifying installation..."
local errors=0
# Check whisper-cli
if [ -f "$WHISPER_CPP_DIR/build/bin/whisper-cli" ]; then
log "whisper-cli: OK"
else
warn "whisper-cli: NOT FOUND"
((errors++))
fi
# Check model
if [ -f "$WHISPER_CPP_DIR/models/ggml-${WHISPER_MODEL}.bin" ]; then
log "Whisper model: OK"
else
warn "Whisper model: NOT FOUND"
((errors++))
fi
# Check ffmpeg
if command -v ffmpeg >/dev/null 2>&1; then
log "ffmpeg: OK"
else
warn "ffmpeg: NOT FOUND"
((errors++))
fi
# Check parecord
if command -v parecord >/dev/null 2>&1; then
log "parecord: OK"
else
warn "parecord: NOT FOUND"
((errors++))
fi
# Check scripts
if [ -x "$BIN_DIR/meeting-record" ]; then
log "meeting-record script: OK"
else
warn "meeting-record script: NOT FOUND"
((errors++))
fi
# Check PATH
if echo "$PATH" | grep -q "$BIN_DIR"; then
log "$BIN_DIR in PATH: OK"
else
warn "$BIN_DIR not in PATH - add to your shell config:"
warn " export PATH=\"\$HOME/bin:\$PATH\""
fi
if [ $errors -eq 0 ]; then
log "All components verified!"
return 0
else
warn "$errors component(s) need attention"
return 1
fi
}
# Print usage
print_usage() {
echo ""
echo "=== Installation Complete ==="
echo ""
echo "Usage:"
echo " meeting-record # Auto-named recording"
echo " meeting-record \"client-call\" # Named recording"
echo " meeting-record-test # 30-second test"
echo ""
echo "Output files are saved to: $RECORDINGS_DIR/<meeting-name>/"
echo " - full-audio.wav Complete recording"
echo " - live-transcript.txt Real-time transcription"
echo " - final-transcript.txt High-quality full transcription"
echo ""
echo "Privacy: All processing happens locally. No cloud APIs."
echo ""
}
# Main
main() {
echo "=== Meeting Record Installation ==="
echo ""
echo "This will install:"
echo " - whisper.cpp (local speech recognition)"
echo " - Whisper model: $WHISPER_MODEL"
echo " - meeting-record scripts"
echo ""
echo "Install location: $WHISPER_CPP_DIR"
echo "Scripts location: $BIN_DIR"
echo ""
read -p "Continue? [Y/n] " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]?$ ]]; then
echo "Aborted."
exit 0
fi
echo ""
install_dependencies
install_whisper_cpp
download_model
install_scripts
update_paths
echo ""
verify_installation || true
print_usage
}
main "$@"

70
tools/simplex/INSTALL-NOTES.md Normal file
View file

@ -0,0 +1,70 @@
# SimpleX Installation Notes
## ⚠️ Known Issues
### .deb Package Compatibility Problems
The official .deb packages (both Ubuntu 22.04 and 24.04) have library compatibility issues:
**Confirmed broken on:**
- ✗ Debian Trixie (crash: `SIGSEGV in libHSzstd`)
- ✗ Pop!_OS (various library issues)
**Root cause:**
- Complex dependency chain (Java, Haskell runtime, zstd, VLC libraries)
- Ubuntu-specific library versions
- Native library linking issues
## ✅ Recommended: AppImage
**Use the AppImage for ALL installations:**
```bash
cd ~/github/privacy-toolkit/tools/simplex
./install-appimage.sh
```
**Why AppImage works:**
- ✅ Bundles all dependencies
- ✅ No library conflicts
- ✅ Works on all distros
- ✅ Tested on Debian Trixie and Pop!_OS
## 📦 File Locations
After AppImage installation:
- **Binary**: `~/.local/bin/SimpleX.AppImage`
- **Desktop Entry**: `~/.local/share/applications/simplex.desktop`
- **Data** (unchanged): `~/.local/share/simplex/`
- **Config** (unchanged): `~/.config/simplex/`
## 🔄 Migrating from .deb to AppImage
If you tried the .deb first:
```bash
# Remove broken .deb
sudo apt remove simplex
sudo rm -rf /opt/simplex
# Install AppImage
./install-appimage.sh
# Your data is preserved (lives in ~/.local/share/simplex/)
```
## 📝 Testing Notes
| System | .deb Package | AppImage |
|--------|-------------|----------|
| Debian Trixie (glibc 2.41) | ✗ Crashes | ✅ Works |
| Pop!_OS 22.04 | ✗ Issues | ✅ Works |
| Ubuntu 24.04 native | ? Unknown | ✅ Works |
**Conclusion**: Always use AppImage for SimpleX.
---
**Last Updated**: 2025-11-12
**Tested On**: Debian Trixie, Pop!_OS
**Recommendation**: AppImage only

168
tools/simplex/README.md Normal file
View file

@ -0,0 +1,168 @@
# SimpleX Chat - Private Messaging Without Identifiers
**The most private messaging app - no phone number, email, or username required**
## 🎯 Threat Model
### What Problem Does This Solve?
Most "encrypted" messaging apps still leak critical metadata:
- **Phone/Email Linking**: Signal, WhatsApp, Telegram require phone numbers
- **Username Tracking**: Session, Threema use permanent usernames
- **Contact Graph**: Servers know who talks to whom
- **Central Compromise**: Single point of failure if servers are seized
### How SimpleX is Different
**No User Identifiers**
- No phone number
- No email address
- No username
- No blockchain address
- **Nothing** that identifies you across connections
**Each Contact is Isolated**
- Every contact uses different message routing
- Server can't build a social graph
- Compromise of one contact doesn't expose others
**Decentralized Infrastructure**
- Run your own server or use defaults
- Messages routed through different servers
- Ephemeral message queues (deleted after delivery)
## 🔐 Privacy Features
- ✅ End-to-end encryption (Signal Double Ratchet + post-quantum)
- ✅ Perfect forward secrecy
- ✅ No metadata leakage to servers
- ✅ Disappearing messages
- ✅ Incognito mode (temporary identities)
- ✅ Voice/video calls (also E2E encrypted)
- ✅ Group chats (fully decentralized)
- ✅ File sharing (encrypted)
## 🚀 Installation
### Debian Trixie (glibc 2.40+)
```bash
cd ~/github/privacy-toolkit
./tools/simplex/install.sh
```
The script automatically selects:
- **Ubuntu 24.04 package** for Debian Trixie
- **Ubuntu 22.04 package** for older systems
### Manual Installation
Check your glibc version:
```bash
ldd --version | head -1
```
- If glibc ≥ 2.39: Download ubuntu-24-04 package
- If glibc < 2.39: Download ubuntu-22-04 package
Download from: https://github.com/simplex-chat/simplex-chat/releases/latest
## 📖 Usage
### First Launch
1. Open SimpleX from application menu
2. Choose "Create new profile"
3. Set display name (not sent to servers!)
4. Optionally set profile image
### Adding Contacts
1. Click "+" → "Add contact"
2. Share your connection link OR
3. Scan contact's QR code
**Important**: Each contact gets a unique connection link. You can't be tracked across contacts.
### Restoring from Backup
If you have a backup (from `/tmp/restore-simplex.sh`):
1. Launch SimpleX
2. It will automatically detect restored data
3. Verify your contacts appear
4. Database files are at `~/.local/share/simplex/`
## 🔒 Security Best Practices
### Message Retention
- Enable disappearing messages for sensitive conversations
- Default: Messages stored locally forever
- Recommendation: 1 week retention for most chats
### Connection Security
- **Delete old connection links** after contact accepts
- Use **incognito mode** for temporary conversations
- **Verify contact fingerprints** for high-security conversations
### Server Trust
- Default servers are run by SimpleX team (good reputation)
- For maximum privacy: Run your own SimpleX server
- Or use community servers you trust
### Backup Your Data
SimpleX stores everything locally:
```bash
~/.local/share/simplex/ # Databases
~/.config/simplex/ # Settings
```
**Backup regularly!** If you lose this data, you lose all messages.
## 🆚 Comparison with Other Apps
| Feature | SimpleX | Signal | Session | Matrix |
|---------|---------|--------|---------|--------|
| No phone/email | ✅ | ❌ | ✅ | ✅ |
| No username | ✅ | ❌ | ❌ | ❌ |
| No user ID at all | ✅ | ❌ | ❌ | ❌ |
| Decentralized routing | ✅ | ❌ | ✅ | ✅ |
| Contact graph hidden | ✅ | ❌ | ❌ | Partial |
| Post-quantum crypto | ✅ | Partial | ❌ | ❌ |
| Metadata resistance | Excellent | Good | Good | Moderate |
## 🛠️ Advanced: Run Your Own Server
For maximum privacy, run your own SimpleX SMP server:
```bash
# Docker method
docker run -d \
--name simplex-smp \
-p 5223:5223 \
simplexchat/smp-server
# Configure SimpleX app to use your server
```
Instructions: https://github.com/simplex-chat/simplexmq#smp-server
## 🔗 Resources
- Official Website: https://simplex.chat/
- Documentation: https://simplex.chat/docs/
- GitHub: https://github.com/simplex-chat/simplex-chat
- Security Audit: https://simplex.chat/blog/simplex-chat-v5.8-private-message-routing-chat-themes/
- Whitepaper: https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md
## ⚠️ Limitations
- **No cloud sync**: Messages are device-local only
- **Manual backups**: You must backup yourself
- **Contact management**: Need to share new links for each contact
- **Group limitations**: Decentralized groups have size limits
**Trade-off**: Maximum privacy requires some inconvenience. SimpleX chooses privacy over convenience.
---
**Maintained by**: SimpleX Chat team
**License**: AGPL-3.0
**Last Updated**: 2025-11-12

107
tools/simplex/install-appimage.sh Executable file
View file

@ -0,0 +1,107 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# SimpleX AppImage Installation (Recommended for Debian Trixie)
# ==============================================================================
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; }
echo "=== SimpleX AppImage Installation ==="
echo ""
log "Fetching latest release info..."
LATEST_RELEASE=$(curl -s https://api.github.com/repos/simplex-chat/simplex-chat/releases/latest)
# Get AppImage URL
APPIMAGE_URL=$(echo "$LATEST_RELEASE" | jq -r '.assets[] | select(.name == "simplex-desktop-x86_64.AppImage") | .browser_download_url')
# Get SHA256 checksum URL
CHECKSUM_URL=$(echo "$LATEST_RELEASE" | jq -r '.assets[] | select(.name == "simplex-desktop-x86_64.AppImage.sha256sum") | .browser_download_url')
if [ -z "$APPIMAGE_URL" ]; then
error "Could not find AppImage in latest release"
fi
VERSION=$(echo "$LATEST_RELEASE" | jq -r '.tag_name')
log "Latest version: $VERSION"
log "AppImage URL: $APPIMAGE_URL"
# Download AppImage
log "Downloading SimpleX AppImage..."
mkdir -p ~/.local/bin
cd /tmp
wget --show-progress -O SimpleX.AppImage "$APPIMAGE_URL"
# Download and verify checksum
if [ -n "$CHECKSUM_URL" ]; then
log "Downloading checksum..."
wget -q -O SimpleX.AppImage.sha256sum "$CHECKSUM_URL"
log "Verifying checksum..."
if sha256sum -c SimpleX.AppImage.sha256sum 2>&1 | grep -q "OK"; then
log "✅ Checksum verified"
else
error "Checksum verification failed! Download may be corrupted or compromised."
fi
rm SimpleX.AppImage.sha256sum
else
warn "⚠️ No checksum file found - skipping verification"
warn "This is less secure. Continue anyway? [y/N]"
read -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
log "Installation cancelled"
rm SimpleX.AppImage
exit 0
fi
fi
# Install to ~/.local/bin
log "Installing to ~/.local/bin..."
mv SimpleX.AppImage ~/.local/bin/
chmod +x ~/.local/bin/SimpleX.AppImage
# Create simplex symlink for easier CLI access
log "Creating 'simplex' symlink..."
ln -sf ~/.local/bin/SimpleX.AppImage ~/.local/bin/simplex
# Create desktop entry
log "Creating desktop entry..."
mkdir -p ~/.local/share/applications
cat > ~/.local/share/applications/simplex.desktop << DESKTOP
[Desktop Entry]
Name=SimpleX
Comment=Private messaging without identifiers
Exec=$HOME/.local/bin/SimpleX.AppImage
Icon=simplex
Type=Application
Categories=Network;Chat;
DESKTOP
log "✅ SimpleX installed successfully!"
echo ""
echo "=== Installation Complete ==="
echo ""
echo "Launch from:"
echo " • Application menu: 'SimpleX'"
echo " • Terminal: simplex"
echo " • Or: ~/.local/bin/SimpleX.AppImage"
echo ""
echo "Your restored data:"
echo " ~/.local/share/simplex/ (messages, contacts)"
echo " ~/.config/simplex/ (settings)"
echo ""
echo "First launch:"
echo " SimpleX should automatically detect your restored data"
echo " Verify your contacts and messages appear"
echo ""
echo "📖 Documentation: https://simplex.chat/docs/"

107
tools/simplex/install.sh Executable file
View file

@ -0,0 +1,107 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# SimpleX Installation Script
# ==============================================================================
# Installs SimpleX Chat - E2E encrypted messaging without identifiers
#
# Threat Model:
# - Phone number linking (Signal, WhatsApp require phone)
# - Metadata correlation (most messengers link messages to identities)
# - Central server compromise (centralized messengers)
# - Contact graph analysis (who talks to whom)
#
# How SimpleX Protects:
# - No user identifiers (no phone, email, username)
# - Decentralized message routing
# - Ephemeral message queues
# - Perfect forward secrecy
# - No contact graph (each contact uses different routing)
#
# Source: https://simplex.chat/
# ==============================================================================
# Colors
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly BLUE='\033[0;34m'
readonly RED='\033[0;31m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; }
echo "=== SimpleX Chat Installation ==="
echo ""
# Detect system
log "Detecting system..."
GLIBC_VERSION=$(ldd --version | head -1 | awk '{print $NF}')
DEBIAN_VERSION=$(cat /etc/debian_version 2>/dev/null || echo "unknown")
log "System info:"
log " Debian: $DEBIAN_VERSION"
log " glibc: $GLIBC_VERSION"
echo ""
# Determine which package to use
if [[ "$DEBIAN_VERSION" == "13"* ]] || [[ "$GLIBC_VERSION" > "2.39" ]]; then
PACKAGE_VERSION="24-04"
log "✅ Debian Trixie detected - using Ubuntu 24.04 package"
else
PACKAGE_VERSION="22-04"
warn "Older Debian/Ubuntu detected - using Ubuntu 22.04 package"
fi
echo ""
log "Fetching latest SimpleX release..."
LATEST_RELEASE=$(curl -s https://api.github.com/repos/simplex-chat/simplex-chat/releases/latest)
VERSION=$(echo "$LATEST_RELEASE" | jq -r '.tag_name')
if [ -z "$VERSION" ] || [ "$VERSION" = "null" ]; then
error "Could not fetch latest version"
fi
log "Latest version: $VERSION"
# Construct download URL
PACKAGE_NAME="simplex-desktop-x86_64-ubuntu-${PACKAGE_VERSION}.deb"
DOWNLOAD_URL="https://github.com/simplex-chat/simplex-chat/releases/download/${VERSION}/${PACKAGE_NAME}"
log "Download URL: $DOWNLOAD_URL"
echo ""
# Download
log "Downloading SimpleX Desktop..."
cd /tmp
wget -O simplex-desktop.deb "$DOWNLOAD_URL"
# Install
log "Installing SimpleX Desktop..."
sudo apt install -y ./simplex-desktop.deb
# Cleanup
rm simplex-desktop.deb
log "✅ SimpleX installed successfully!"
echo ""
echo "=== Installation Complete ==="
echo ""
echo "Usage:"
echo " 1. Launch 'SimpleX' from application menu"
echo " 2. Create new profile OR restore from backup"
echo " 3. Share your connection link with contacts"
echo " 4. No phone number, email, or username required!"
echo ""
echo "Key Features:"
echo " • No user identifiers - truly anonymous"
echo " • Each contact uses different routing"
echo " • Decentralized message queues"
echo " • Perfect forward secrecy"
echo " • Disappearing messages"
echo ""
echo "📖 Documentation: https://simplex.chat/docs/"
echo "🔒 Security: https://simplex.chat/blog/simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm/"

109
tools/veracrypt/install.sh Executable file
View file

@ -0,0 +1,109 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# VeraCrypt Installation Script
# ==============================================================================
# Installs VeraCrypt - Full disk encryption and encrypted containers
#
# Threat Model:
# - Physical device theft (laptop, USB drive)
# - Data at rest without protection
# - Border crossing device searches
# - Forensic analysis of seized devices
#
# How VeraCrypt Protects:
# - Full disk encryption (entire drive encrypted)
# - Encrypted containers (virtual encrypted disks)
# - Plausible deniability (hidden volumes)
# - Multiple encryption algorithms
# - Pre-boot authentication
#
# Source: https://veracrypt.fr/
# ==============================================================================
# Colors
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly RED='\033[0;31m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; }
echo "=== VeraCrypt Installation ==="
echo ""
# Detect architecture
ARCH=$(uname -m)
if [ "$ARCH" = "x86_64" ]; then
ARCH_SUFFIX="amd64"
else
error "Unsupported architecture: $ARCH (only x86_64 supported)"
fi
log "Fetching latest VeraCrypt version..."
# Get latest version from SourceForge (VeraCrypt's official host)
# Note: This is simplified - you may want to hardcode a version for stability
LATEST_VERSION="1.26.7" # Update this manually for stability
warn "Using VeraCrypt version $LATEST_VERSION"
# Construct download URL
BASE_URL="https://launchpad.net/veracrypt/trunk/${LATEST_VERSION}/+download"
DEB_FILE="veracrypt-${LATEST_VERSION}-Debian-12-${ARCH_SUFFIX}.deb"
DOWNLOAD_URL="${BASE_URL}/${DEB_FILE}"
log "Download URL: $DOWNLOAD_URL"
echo ""
warn "⚠️ IMPORTANT: You should verify the PGP signature!"
warn "Official instructions: https://veracrypt.fr/en/Digital%20Signatures.html"
echo ""
read -p "Continue with installation? [y/N] " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
log "Installation cancelled"
exit 0
fi
log "Downloading VeraCrypt..."
cd /tmp
wget -O veracrypt.deb "$DOWNLOAD_URL"
log "Installing VeraCrypt..."
sudo apt install -y ./veracrypt.deb
rm veracrypt.deb
log "✅ VeraCrypt installed successfully!"
echo ""
echo "=== Installation Complete ==="
echo ""
echo "Usage:"
echo ""
echo " GUI:"
echo " veracrypt"
echo ""
echo " Create encrypted container:"
echo " 1. Launch VeraCrypt"
echo " 2. Click 'Create Volume'"
echo " 3. Choose 'Create an encrypted file container'"
echo " 4. Follow wizard"
echo ""
echo " Mount existing container:"
echo " 1. Launch VeraCrypt"
echo " 2. Select slot (1-20)"
echo " 3. Click 'Select File'"
echo " 4. Choose your .vc file"
echo " 5. Click 'Mount'"
echo " 6. Enter password"
echo ""
echo "⚠️ Security Tips:"
echo " - Use strong passwords (20+ characters)"
echo " - Store backup of volume header"
echo " - Never forget your password (no recovery!)"
echo " - Unmount before shutdown/sleep"
echo ""
echo "📖 Documentation: https://veracrypt.fr/en/Documentation.html"

129
tools/yubico/README.md Normal file
View file

@ -0,0 +1,129 @@
# Yubico Tools Suite
Hardware security key management and authentication tools for YubiKey.
## What's Included
| Tool | Purpose |
|------|---------|
| **YubiKey Manager** | GUI to configure YubiKey settings, FIDO2 PIN, OTP slots, PIV |
| **Yubico Authenticator** | TOTP/HOTP authenticator using YubiKey hardware |
| **yubico-piv-tool** | Command-line PIV/Smart Card operations |
## Threat Model
**Protects Against:**
- Phishing attacks (FIDO2/WebAuthn is phishing-resistant)
- TOTP code theft from compromised phone
- Password-only authentication weaknesses
- Remote key extraction (keys never leave hardware)
**Use Cases:**
- 2FA for online accounts (GitHub, Google, AWS, etc.)
- Password-less authentication via FIDO2
- SSH authentication with hardware keys
- Code signing with PIV certificates
## Installation
```bash
./install.sh
```
This will:
1. Install system dependencies (pcscd, smart card libs)
2. Download and install YubiKey Manager AppImage
3. Download and extract Yubico Authenticator
4. Download and extract yubico-piv-tool
5. Create launch scripts in ~/bin/
6. Create .desktop entries for app menu
## Dependencies
Installed automatically:
- `pcscd` - PC/SC smart card daemon
- `libpcsclite1` - Smart card library
- `libccid` - CCID driver for smart cards
- `libfuse2` - Required for AppImages
- `libu2f-udev` - udev rules for U2F devices
## Usage
### YubiKey Manager
```bash
yubikey-manager
# or
~/opt/yubico/yubikey-manager.AppImage
```
Configure:
- FIDO2 PIN
- OTP slots (Yubico OTP, static password, HOTP, Challenge-Response)
- PIV certificates and PINs
- Reset YubiKey to factory settings
### Yubico Authenticator
```bash
yubico-auth
# or
~/opt/yubico/authenticator/authenticator
```
Features:
- Scan QR codes to add TOTP/HOTP accounts
- Codes stored on YubiKey (not on computer)
- Touch YubiKey to reveal codes
- Works across devices (codes travel with YubiKey)
### yubico-piv-tool
```bash
~/opt/yubico/piv-tool/bin/yubico-piv-tool --help
# Generate key in slot 9a
yubico-piv-tool -a generate -s 9a -A RSA2048
# Import certificate
yubico-piv-tool -a import-certificate -s 9a -i cert.pem
```
## Security Best Practices
1. **Set a strong FIDO2 PIN** - Required for WebAuthn
2. **Set PIV PINs** - Default is 123456, change immediately
3. **Keep backup keys** - Have a second YubiKey registered
4. **Store recovery codes** - For accounts using YubiKey 2FA
5. **Use touch requirement** - Enable touch for TOTP generation
## Troubleshooting
### YubiKey not detected
```bash
# Check pcscd service
sudo systemctl status pcscd
# Restart pcscd
sudo systemctl restart pcscd
# Check USB
lsusb | grep -i yubico
```
### Permission issues
```bash
# Add user to plugdev group
sudo usermod -aG plugdev $USER
# Log out and back in
```
### AppImage won't run
```bash
# Ensure libfuse2 is installed
sudo apt install libfuse2
```
## Resources
- [YubiKey Manager docs](https://docs.yubico.com/software/yubikey/tools/ykman/)
- [Yubico Authenticator docs](https://docs.yubico.com/yesdk/users-manual/application-oath/authenticator.html)
- [PIV Tool docs](https://developers.yubico.com/yubico-piv-tool/)
- [YubiKey Setup Guide](https://support.yubico.com/hc/en-us/articles/360013714479)

238
tools/yubico/install.sh Executable file
View file

@ -0,0 +1,238 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# Yubico Tools Installation Script
# ==============================================================================
# Installs the Yubico suite for YubiKey management and authentication
#
# Tools Installed:
# - YubiKey Manager (GUI) - Configure YubiKey settings, PINs, FIDO2, etc.
# - Yubico Authenticator - TOTP/HOTP authenticator using YubiKey
# - yubico-piv-tool - PIV (smart card) functionality
#
# Threat Model:
# - Phishing-resistant 2FA with hardware tokens
# - Password-less authentication via FIDO2/WebAuthn
# - Hardware-backed TOTP codes (can't be stolen from phone)
# - PIV/Smart card authentication for SSH, code signing
#
# Source: https://developers.yubico.com/
# ==============================================================================
# Colors
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly RED='\033[0;31m'
readonly BLUE='\033[0;34m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; }
header() { echo -e "${BLUE}=== $* ===${NC}"; }
INSTALL_DIR="${HOME}/opt/yubico"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
header "Yubico Tools Installation"
echo ""
echo "This script will install:"
echo " 1. YubiKey Manager Qt (AppImage)"
echo " 2. Yubico Authenticator (for TOTP/HOTP)"
echo " 3. yubico-piv-tool (PIV/Smart Card support)"
echo ""
echo "Install location: $INSTALL_DIR"
echo ""
read -p "Continue? [Y/n]: " confirm
[[ "${confirm:-Y}" =~ ^[Nn] ]] && exit 0
# ==============================================================================
# Install Dependencies
# ==============================================================================
header "Installing Dependencies"
log "Installing system packages for smart card and YubiKey support..."
sudo apt update
sudo apt install -y \
pcscd \
libpcsclite1 \
libpcsclite-dev \
swig \
libccid \
libfuse2 \
libu2f-udev \
yubikey-personalization \
python3-pip \
python3-venv \
qtwayland5 \
libqt5waylandclient5
# Start pcscd service
log "Enabling pcscd service..."
sudo systemctl enable pcscd
sudo systemctl start pcscd
# ==============================================================================
# Create Install Directory
# ==============================================================================
mkdir -p "$INSTALL_DIR"
cd "$INSTALL_DIR"
# ==============================================================================
# Install YubiKey Manager Qt (AppImage)
# ==============================================================================
header "Installing YubiKey Manager Qt"
MANAGER_URL="https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-linux.AppImage"
log "Downloading from: $MANAGER_URL"
curl -L -o yubikey-manager.AppImage "$MANAGER_URL"
chmod +x yubikey-manager.AppImage
# Create desktop entry
log "Creating desktop entry..."
mkdir -p ~/.local/share/applications
cat > ~/.local/share/applications/yubikey-manager.desktop << EOF
[Desktop Entry]
Name=YubiKey Manager
Comment=Configure your YubiKey
Exec=env QT_QPA_PLATFORM=xcb ${INSTALL_DIR}/yubikey-manager.AppImage
Icon=yubikey-manager
Type=Application
Categories=Utility;Security;
Terminal=false
EOF
log "✅ YubiKey Manager installed"
# ==============================================================================
# Install Yubico Authenticator
# ==============================================================================
header "Installing Yubico Authenticator"
AUTH_URL="https://developers.yubico.com/yubioath-flutter/Releases/yubico-authenticator-latest-linux.tar.gz"
log "Downloading from: $AUTH_URL"
curl -L -o yubico-authenticator.tar.gz "$AUTH_URL"
tar -xzf yubico-authenticator.tar.gz
rm yubico-authenticator.tar.gz
# Find extracted directory (version varies)
AUTH_DIR=$(find . -maxdepth 1 -type d -name "yubico-authenticator*" | head -1)
if [ -n "$AUTH_DIR" ]; then
mv "$AUTH_DIR" authenticator
# Create desktop entry
cat > ~/.local/share/applications/yubico-authenticator.desktop << EOF
[Desktop Entry]
Name=Yubico Authenticator
Comment=TOTP/HOTP authenticator for YubiKey
Exec=${INSTALL_DIR}/authenticator/authenticator
Icon=yubico-authenticator
Type=Application
Categories=Utility;Security;
Terminal=false
EOF
log "✅ Yubico Authenticator installed"
else
warn "Could not find authenticator directory after extraction"
fi
# ==============================================================================
# Install yubico-piv-tool
# ==============================================================================
header "Installing yubico-piv-tool"
PIV_URL="https://developers.yubico.com/yubico-piv-tool/Releases/yubico-piv-tool-latest.tar.gz"
log "Downloading from: $PIV_URL"
curl -L -o yubico-piv-tool.tar.gz "$PIV_URL"
tar -xzf yubico-piv-tool.tar.gz
rm yubico-piv-tool.tar.gz
# Find extracted directory
PIV_DIR=$(find . -maxdepth 1 -type d -name "yubico-piv-tool*" | head -1)
if [ -n "$PIV_DIR" ]; then
mv "$PIV_DIR" piv-tool
# Add to PATH hint
log "piv-tool binaries at: ${INSTALL_DIR}/piv-tool/bin/"
log "✅ yubico-piv-tool installed"
else
warn "Could not find piv-tool directory after extraction"
fi
# ==============================================================================
# Create launch scripts
# ==============================================================================
header "Creating Launch Scripts"
mkdir -p ~/bin
# YubiKey Manager launcher (use xcb backend for Wayland compatibility)
cat > ~/bin/yubikey-manager << EOF
#!/bin/bash
# Use xcb (X11) backend - more reliable than Wayland for this AppImage
export QT_QPA_PLATFORM=xcb
exec ${INSTALL_DIR}/yubikey-manager.AppImage "\$@"
EOF
chmod +x ~/bin/yubikey-manager
# Yubico Authenticator launcher
cat > ~/bin/yubico-auth << EOF
#!/bin/bash
exec ${INSTALL_DIR}/authenticator/authenticator "\$@"
EOF
chmod +x ~/bin/yubico-auth
log "✅ Launch scripts created in ~/bin/"
# ==============================================================================
# Verify Installation
# ==============================================================================
header "Verifying Installation"
echo ""
echo "Installed components:"
[ -f "$INSTALL_DIR/yubikey-manager.AppImage" ] && echo " ✅ YubiKey Manager AppImage" || echo " ❌ YubiKey Manager"
[ -d "$INSTALL_DIR/authenticator" ] && echo " ✅ Yubico Authenticator" || echo " ❌ Yubico Authenticator"
[ -d "$INSTALL_DIR/piv-tool" ] && echo " ✅ yubico-piv-tool" || echo " ❌ yubico-piv-tool"
systemctl is-active --quiet pcscd && echo " ✅ pcscd service running" || echo " ⚠️ pcscd service not running"
# Check for YubiKey
echo ""
log "Checking for connected YubiKey..."
if lsusb | grep -qi "yubico\|yubikey"; then
echo " ✅ YubiKey detected!"
lsusb | grep -i "yubico\|yubikey"
else
warn "No YubiKey detected. Plug one in to use the tools."
fi
# ==============================================================================
# Usage Instructions
# ==============================================================================
echo ""
header "Installation Complete"
echo ""
echo "Usage:"
echo " yubikey-manager - Launch YubiKey Manager GUI"
echo " yubico-auth - Launch Yubico Authenticator"
echo ""
echo "YubiKey Manager can:"
echo " - Reset and configure YubiKey"
echo " - Manage FIDO2 PIN"
echo " - Configure OTP slots"
echo " - Manage PIV certificates"
echo ""
echo "Yubico Authenticator:"
echo " - Store TOTP/HOTP codes on YubiKey"
echo " - Codes stored in hardware (phishing-resistant)"
echo " - Scan QR codes to add accounts"
echo ""
echo "PIV Tool (command line):"
echo " ${INSTALL_DIR}/piv-tool/bin/yubico-piv-tool --help"
echo ""
echo "📖 Documentation: https://developers.yubico.com/"