From Single Files to Complete Directory Trees—A Fundamental Evolution
Posted by Muhammed Shafin P (HejHdiss) | Qeltrix Project Lead
I'm thrilled to announce Qeltrix V5, the most significant architectural evolution in the Qeltrix ecosystem. This release fundamentally transforms Qeltrix from a single-file encryption tool into a full-featured folder archiver with Virtual File System (VFS) capabilities, optional asymmetric metadata encryption, and surgical seek operations.
V5 represents a paradigm shift: instead of encrypting one file at a time, you can now package entire directory structures into a single encrypted container—then access individual files within that container without decrypting everything.
What's Revolutionary in V5?
1. Folder Archiving with Virtual File System
V5 introduces a complete VFS implementation that maps entire directory trees into a single encrypted .qltx container. This is the first version of Qeltrix capable of archiving entire folders while preserving their structure, relative paths, and file metadata.
Previously, Qeltrix operated on single files. With V5, you can archive your entire project directory—source code, documentation, configurations, and all—into one container. The VFS metadata block maintains a complete map of every file, its original size, content hash, and position within the encrypted data blocks.
Each file within the archived folder is treated as a separate encrypted block, allowing the system to decrypt and access individual files on demand without processing the entire archive.
2. Dual-Mode Metadata Security: V5 vs V5A
V5 introduces optional asymmetric metadata encryption, creating two distinct operational modes.
V5 Mode (Unencrypted Metadata)
When you pack a folder without providing a public key, V5 stores the VFS metadata as plaintext JSON. The file structure—paths, sizes, and hashes—is readable without a private key, but the actual file contents remain encrypted by the master key.
For personal backups where you're not concerned about hiding the directory structure, this mode offers maximum speed. You can quickly browse what's in the archive before deciding what to extract.
V5A Mode (Asymmetric Metadata Encryption)
When you provide a public key during packing, V5 switches to V5A mode. The VFS metadata itself is encrypted using RSA-OAEP. The Metadata Encryption Key (MEK) is secured with the recipient's public key, meaning only the holder of the corresponding private key can even see what files exist in the archive.
With V5A, an intercepted archive reveals nothing—no file names, directory structures, file counts, or sizes. Everything is opaque until the legitimate recipient decrypts the metadata with their private key. This dual-layer security model provides defense in depth.
| Aspect | V5 (Standard) | V5A (Asymmetric) |
|---|---|---|
| VFS Metadata | Plaintext JSON | RSA-Encrypted |
| File Paths Visible | ✓ Yes | ✗ No |
| Content Encrypted | ✓ Yes | ✓ Yes |
| Best For | Personal archives | Confidential sharing |
3. Virtual File System Seek: Surgical Data Access
VFS Seek allows you to access specific files within the archive, or even specific byte ranges within those files, without decrypting or decompressing anything else.
Traditional archive extraction is all-or-nothing. Want a 10KB configuration file from a 50GB archive? You must decrypt all 50GB. With VFS Seek, Qeltrix reads only the block containing your target file—typically around 1MB—decrypts just that block, and extracts only the bytes you requested.
Imagine having a year's worth of application logs archived into a single large container. A critical incident occurs, and you need error messages from one specific hour. Without VFS Seek, you'd spend hours extracting everything. With VFS Seek, you specify the exact log file path and byte range, and Qeltrix retrieves it in under a second.
This transforms Qeltrix archives from static backup containers into dynamic, queryable data repositories.
4. Backward Block Compatibility: V2/V4 Under the Hood
V5 leverages the battle-tested block formats from V2 (ChaCha20-Poly1305) and V4 (AES256-GCM). Each file in your archived folder is encrypted as a separate V2 or V4 block, depending on your configuration.
You inherit years of stability and security analysis. The V2 and V4 formats have been extensively tested. V5 adds the VFS orchestration layer on top but relies on trusted primitives for the actual encryption work.
Every V2/V4 feature—permutation layers, compression options (LZ4, Zstd), two-pass vs single-pass key derivation—is available for your V5 blocks. This modular design means V5 benefits from future improvements to the underlying block formats.
5. Parallel Processing Throughout
V5 leverages Python's ProcessPoolExecutor to maximize throughput. Multiple files are encrypted simultaneously during packing, and multiple blocks are decrypted concurrently during unpacking. For VFS Seek operations, V5 uses isolated single-process execution to prevent memory overhead when extracting small portions.
Understanding the V5 Data Model Shift
V1 through V4: These versions operate on a single input file. The entire file content is treated as one continuous stream or a series of identical blocks.
V5: This version introduces a Virtual File System model. You provide a folder, and V5 treats each file within that folder as a separate entity with its own path, size, and encryption block.
This architectural difference means V5 uses different command-line arguments: --input-folder, --output-folder, and --vfs-path for navigation.
The universal dispatcher (qltx.py) handles this seamlessly, routing to the appropriate backend based on the file version header.
Real-World Use Cases
Project Backups: Archive entire codebases and instantly extract individual configuration files without unpacking gigabytes of source code.
Confidential Document Sharing: Law firms and healthcare providers can share encrypted archives where only recipients with the private key can see what files exist (V5A mode).
Log Archive Systems: Compress and encrypt massive log directories, then use VFS Seek to retrieve specific error patterns without decompressing terabytes.
Compliance-Ready Archival: Organizations can create tamper-evident archives with AES-256-GCM encryption that meet regulatory standards (GDPR, HIPAA), while maintaining instant access to specific records.
PoC Limitations and Scale Considerations
As a Proof-of-Concept, V5 has important practical limitations:
Scale Restrictions: While the base architecture and design philosophy are built with large-scale operations in mind (terabytes, hundreds of gigabytes), the current PoC implementation is not optimized for handling such massive datasets. This is a deliberate limitation reflecting:
- The inherent constraints of solo development
- My knowledge boundaries as the primary developer
- The experimental nature of the project
Dropped Features: Many advanced capabilities were planned but not implemented:
- Advanced VFS Parallel/Serial Mixing: Complex strategies for handling both blocking and non-blocking file combinations
- Cross-Version VFS Enhancements: Certain multi-parallel operations for specific edge cases
- Explicit Worker Configuration: No command-line flag to override default worker counts
- Large-Scale Optimizations: Memory management and streaming strategies for truly massive archives
What This Means: V5 successfully demonstrates folder archiving, VFS seek, and dual-mode security for typical use cases (projects, document collections, moderate-sized backups). However, attempting to archive multi-terabyte datasets or handle hundreds of gigabytes may encounter performance bottlenecks or resource constraints that a production implementation would need to address.
The foundational architecture is designed with scale in mind, but the current implementation reflects PoC limitations. Community contributions to optimize for large-scale operations are especially welcome.
Security Considerations
V5's security model layers multiple proven primitives:
Metadata Layer (V5A): RSA-OAEP for key transport, AES-256-GCM for metadata encryption
Content Layer: HKDF-SHA256 key derivation, AES-256-GCM or ChaCha20-Poly1305 for bulk data
Integrity Layer: SHA256 hash of entire ciphertext, per-file content hashes
V5 offers two key derivation modes:
Two-Pass (Default): Derives key from SHA256 hash of entire compressed file stream—maximum security, requires temporary storage.
Single-Pass-FirstN: Derives key from hash of first N bytes—faster, single-pass operation for large files.
Proof-of-Concept Disclaimer: Despite using industry-standard cryptography, V5 has not undergone professional security auditing. You are responsible for key management, threat modeling, and compliance verification.
Version Compatibility Matrix
| Feature | V1-V4 | V5 |
|---|---|---|
| Data Model | Single File | Folder/VFS |
| ChaCha20-Poly1305 | ✓ | ✓ (blocks) |
| AES256-GCM | ✓ (V3/V4) | ✓ (blocks) |
| Random Access | ✓ (V2+) | ✓ (VFS) |
| Asymmetric Keys | ✓ (V3 content) | ✓ (metadata) |
| Backward Compatible | Various | ✗ |
All versions use the .qltx file extension.
Community Call-to-Action
V5 demonstrates a powerful concept: cryptographically secure folder archiving with instant selective access. The implementation proves the architecture works. But transforming this PoC into a production-grade tool requires community effort.
What V5 Needs:
- Scale Optimization: Memory management and streaming strategies for terabyte-scale archives
- Feature Completion: Implementing dropped advanced VFS strategies
- Security Auditing: Formal cryptographic analysis
- Usability Improvements: GUI applications, better error messages
- Documentation Expansion: Tutorials, architecture deep-dives
The Path Forward:
If Qeltrix solves a problem for you, don't wait for updates from the original author. Fork the repository. Build the features you need. Share your improvements. The licenses (GPLv3 for code, CC BY-SA 4.0 for concept) explicitly enable this.
The cryptographic foundation is solid. The VFS architecture is proven. What's missing is the collective effort to polish, optimize, and extend these building blocks—especially for large-scale operations.
Qeltrix's future is in your hands.
Get Qeltrix V5
GitHub Repository: https://github.com/hejhdiss/Qeltrix
The repository includes all implementations (V1-V5), the universal dispatcher, test suites, and complete documentation.
Licensing
- Code (GPLv3): All implementations are free to use, modify, and distribute
- Concept (CC BY-SA 4.0): The VFS architecture and cryptographic approach require attribution for derivative works
Final Thoughts
Qeltrix V5 is a Proof-of-Concept demonstrating folder archiving with Virtual File System seek and optional asymmetric metadata encryption. While built on robust cryptographic primitives, this project:
- Has not undergone professional security auditing
- Is not optimized for terabyte-scale operations in its current form
- Requires your own security evaluation for production use
- Is provided as-is without warranty or guaranteed maintenance
Development Status: The author does not commit to regular updates. This is an open-source project meant to inspire and serve as a foundation.
Use Responsibly: Evaluate whether V5 meets your specific threat model and scale requirements. Consider consulting security professionals before deploying in critical environments.
The universal dispatcher ensures existing V1-V4 workflows continue uninterrupted, while V5 opens entirely new possibilities for folder archiving and selective data access.
Qeltrix is yours to build upon. Fork it. Extend it. Make it scale.
Qeltrix (.qltx) - Content-Derived Encryption, Now with Folder Archiving
Copyright © 2025 HejHdiss (Muhammed Shafin P)
Code: GPLv3 | Concept: CC BY-SA 4.0 International
GitHub: https://github.com/hejhdiss/Qeltrix
Special thanks to the cryptography and security communities for their continued guidance and the contributors(supporters) who make Qeltrix possible.
Top comments (0)