Secure Key Exchange Meets Content-Derived Encryption
I'm thrilled to announce Qeltrix V3, the most significant update yet to the content-derived encryption container format. This release introduces asymmetric key transport, metadata signing, multi-algorithm support, and the universal dispatcher (qltx.py) that brings seamless version management to the entire Qeltrix ecosystem.
What's New in V3?
1. Asymmetric Key Transport (V3-A Mode)
The headline feature of V3 is public/private key architecture. Unlike V1 and V2, which derive encryption keys from content, V3-A mode generates a random Data Encryption Key (DEK) and secures it using RSA-OAEP with the recipient's public key.
This means:
- Secure Key Exchange: Only the intended recipient (with the private key) can decrypt the file
- No Shared Secrets: No need to derive keys from content or exchange passwords
- Multi-Recipient Support: Future versions could encrypt the DEK for multiple recipients
# Encrypt a file for a specific recipient
python3 qltx.py pack secret_report.pdf encrypted.qltx \
--recipient-pub-key keys/alice_public.pem
The recipient unpacks using their private key:
# Only Alice can decrypt this
python3 qltx.py unpack encrypted.qltx report.pdf \
--decrypt-priv-key keys/alice_private.pem
2. Optional Metadata Signing
V3 introduces sender authentication through RSA-PSS signature verification. When packing, you can sign the metadata block with your private key:
python3 qltx.py pack document.doc secure.qltx \
--recipient-pub-key keys/bob_public.pem \
--signer-priv-key keys/my_private.pem
Recipients can verify the sender's identity:
python3 qltx.py unpack secure.qltx document.doc \
--decrypt-priv-key keys/bob_private.pem \
--verifier-pub-key keys/sender_public.pem
This ensures:
- Authenticity: Confirms the file came from the claimed sender
- Integrity: Metadata hasn't been tampered with
- Non-repudiation: The sender cannot deny creating the container
3. Multi-Algorithm Support
V3 adds AES-256-GCM as an alternative to ChaCha20-Poly1305:
# Use AES-256-GCM for bulk encryption
python3 qltx.py pack data.zip archive.qltx \
--algo aes256 \
--recipient-pub-key keys/recipient.pem
Choose based on your requirements:
- ChaCha20-Poly1305 (default): Excellent software performance, constant-time
- AES-256-GCM: Hardware acceleration on modern CPUs with AES-NI
4. The Universal Dispatcher: qltx.py
The biggest workflow improvement is the universal dispatcher script that automatically handles all Qeltrix versions (V1, V2, V3):
For Packing:
- Analyzes your command-line arguments
- Automatically selects the newest compatible version
- Uses V3 if you specify
--recipient-pub-key - Falls back to V2 for
--compression zstdwithout asymmetric features - Defaults to V1 for basic operations
For Unpacking and Seeking:
- Reads the file header to detect format version
- Routes to the appropriate backend script
- Handles all version-specific arguments transparently
You no longer need to remember which script to use!
# All of these "just work" - dispatcher handles everything
python3 qltx.py pack file.dat old_v1.qltx
python3 qltx.py pack file.dat v2_zstd.qltx --compression zstd
python3 qltx.py pack file.dat v3_asym.qltx --recipient-pub-key key.pem
python3 qltx.py unpack any_version.qltx output.dat
V3 Feature Matrix
| Feature | V1 | V2 | V3 |
|---|---|---|---|
| Content-Derived Keys | ✓ | ✓ | ✓ (optional) |
| Parallel Pack/Unpack | ✓ | ✓ | ✓ |
| Random Access (seek) | ✗ | ✓ | ✓ |
| Zstd Compression | ✗ | ✓ | ✓ |
| Asymmetric Key Transport | ✗ | ✗ | ✓ |
| Metadata Signing | ✗ | ✗ | ✓ |
| AES-256-GCM Support | ✗ | ✗ | ✓ |
| Universal Dispatcher | ✗ | ✗ | ✓ |
Complete V3 Usage Examples
Basic Asymmetric Encryption
# Generate RSA key pair (if needed)
openssl genrsa -out private.pem 4096
openssl rsa -in private.pem -pubout -out public.pem
# Pack with recipient's public key
python3 qltx.py pack confidential.xlsx secure.qltx \
--recipient-pub-key public.pem
# Unpack with private key
python3 qltx.py unpack secure.qltx confidential.xlsx \
--decrypt-priv-key private.pem
Signed and Encrypted Container
# Pack with encryption + signing
python3 qltx.py pack contract.pdf signed_encrypted.qltx \
--recipient-pub-key recipient_pub.pem \
--signer-priv-key my_private.pem
# Unpack with decryption + verification
python3 qltx.py unpack signed_encrypted.qltx contract.pdf \
--decrypt-priv-key my_private.pem \
--verifier-pub-key sender_pub.pem
Advanced Configuration
# V3-A with AES-256, Zstd compression, custom block size
python3 qltx.py pack bigdata.db archive.qltx \
--recipient-pub-key ops_team_pub.pem \
--algo aes256 \
--compression zstd \
--block-size 4194304 \
--workers 16
Random Access in V3-A Files
# Seek works seamlessly with asymmetric encryption
python3 qltx.py seek encrypted.qltx 10485760 8192 \
--decrypt-priv-key my_private.pem \
--output section.bin
Security Model Evolution
V1/V2: Content-Derived Security
- Key derived from file content (two-pass or single-pass)
- Self-contained: no external key material needed
- Best for: Archival, data obfuscation, self-securing containers
V3-A: Asymmetric Security
- Random DEK secured with RSA-OAEP
- Public/private key infrastructure
- Optional sender authentication via RSA-PSS
- Best for: Secure communication, multi-user scenarios, organizational workflows
Both models coexist! You can choose content-derived encryption (V1/V2 style) or asymmetric encryption (V3-A) based on your use case.
Migration Path
All Qeltrix versions are fully interoperable through the universal dispatcher:
- Existing V1/V2 Files: Continue to work perfectly
-
New Projects: Use
qltx.pyfor automatic version selection - Gradual Adoption: Migrate to V3 features as needed
- Backward Compatibility: V3 tools can still create V1/V2-style containers
Installation
# All dependencies (unchanged from V2)
pip install lz4 cryptography zstandard
# The 'cryptography' library already includes RSA support
Real-World Use Cases for V3
Secure Document Delivery
# Legal firm sends encrypted contract to client
python3 qltx.py pack contract.pdf delivery.qltx \
--recipient-pub-key client_public.pem \
--signer-priv-key firm_private.pem
Organizational Backup with Authentication
# Backup operator creates signed archive
python3 qltx.py pack db_backup.sql backup.qltx \
--recipient-pub-key ops_recovery_key.pem \
--signer-priv-key backup_operator.pem \
--compression zstd
Multi-Algorithm Performance Testing
# Compare ChaCha20 vs AES-256 on your hardware
python3 qltx.py pack testfile.bin chacha.qltx --algo chacha20
python3 qltx.py pack testfile.bin aes.qltx --algo aes256
Technical Architecture
Cryptographic Stack (V3-A)
-
DEK Generation: 32-byte random key via
os.urandom() - Key Transport: RSA-OAEP-SHA256 encryption of DEK
- Bulk Encryption: ChaCha20-Poly1305 or AES-256-GCM
- Metadata Signing: RSA-PSS-SHA256 (optional)
- Integrity: Global SHA256 + per-block authentication tags
File Format Additions
The V3 metadata block includes:
-
"kek_encrypted_dek": Base64-encoded RSA-ciphertext of the DEK -
"kek_algorithm": Currently"rsa-oaep-sha256" -
"metadata_signature": Base64-encoded RSA-PSS signature (if signed) -
"bulk_algo":"chacha20"or"aes256"
Testing and Verification
The repository includes comprehensive test suites:
# Test V3 features
python3 test-3.py
# Test universal dispatcher
python3 test-qltx.py
All tests create temporary directories and clean up automatically.
Performance Considerations
RSA Overhead
The asymmetric operations (RSA encryption/decryption, signing/verification) only affect:
- A 32-byte DEK (key encryption)
- A small metadata block (signing)
Bulk data encryption remains as fast as V2, using efficient symmetric algorithms.
Benchmark Expectations*
On a typical 8-core system with hardware AES support:
| Operation | V1/V2 | V3 (ChaCha20) | V3 (AES-256) |
|---|---|---|---|
| Pack (1GB) | ~45s | ~45s | ~42s† |
| Unpack (1GB) | ~18s | ~18s | ~16s† |
| RSA Overhead | N/A | <0.1s | <0.1s |
These results are illustrative examples. Actual performance varies with hardware, file type, and configuration.
†With AES-NI hardware acceleration.
Important Notes
Proof-of-Concept Status
Qeltrix V3 remains a Proof-of-Concept. While built on robust cryptographic primitives from the cryptography library, consider:
- No Formal Audit: The implementation hasn't undergone professional security auditing
- Key Management: You are responsible for secure key generation, storage, and rotation
- Use Case Evaluation: Assess whether Qeltrix meets your specific security requirements
RSA Key Recommendations
- Use 4096-bit RSA keys for long-term security
- Protect private keys with strong passphrases
- Never share private keys or store them in version control
- Consider hardware security modules (HSMs) for organizational use
The Community Vision
Qeltrix has always been a community-driven project. V3 provides powerful new primitives for secure data exchange, but the real innovation will come from how you use and extend it:
- Key Escrow Systems: Build multi-recipient encryption
- Automated Pipelines: Integrate signing into CI/CD workflows
- Hybrid Architectures: Combine content-derived and asymmetric modes
- Cross-Platform Tools: Create libraries for other languages
Fork it. Enhance it. Make it yours.
Get Qeltrix V3
GitHub Repository: https://github.com/hejhdiss/Qeltrix
The repository includes:
-
qeltrix.py- V1 implementation -
qeltrix-2.py- V2 implementation -
qeltrix-3.py- V3 implementation with asymmetric features -
qltx.py- Universal dispatcher for all versions - Comprehensive documentation and test suites
-
qeltrix-pypifolder with package documentation
Licensing
Dual License:
- Code (GPLv3): Free to use, modify, and distribute
- Concept (CC BY-SA 4.0): Attribution required for derivative works
Conclusion
Qeltrix V3 brings industrial-strength key transport to content-derived encryption. Whether you need secure document delivery, authenticated backups, or flexible encryption architectures, V3 provides the foundation.
The universal dispatcher makes working with all Qeltrix versions seamless, and the asymmetric features open doors to organizational workflows that weren't possible with content-derived keys alone.
The code is open, the concept is shared, and the future is yours to build.
Qeltrix (.qltx) - Content-Derived Encryption Evolved
Copyright © 2025 HejHdiss (Muhammed Shafin P)
Code: GPLv3 | Concept: CC BY-SA 4.0 International
For questions, feedback, or contributions, visit: https://github.com/hejhdiss/Qeltrix
Top comments (0)