Command-line file encryption with paranoid-grade ciphers. Serpent-256-CBC and XChaCha20-Poly1305, WASM-SIMD accelerated, powered by leviathan-crypto.
lvthn)[!NOTE] Command-line file encryption with paranoid-grade ciphers, powered by leviathan-crypto. Serpent-256-CBC, XChaCha20-Poly1305, and AES-256-GCM-SIV, WASM-SIMD accelerated, distributed across a worker pool.
Table of Contents
lvthn encrypts and decrypts files and pipes from the command line. One keyfile
works with all three ciphers; the header byte chooses the algorithm on decrypt
automatically. Encryption and decryption distribute 64KB chunks across a worker
pool sized to hardwareConcurrency, and each worker owns an isolated WASM
instance with no shared memory between workers. Output is byte-compatible with
the web demo.
Installs the lvthn command globally.
bun add -g lvthn
# or
npm install -g lvthn
# Encrypt with a passphrase (Serpent by default)
lvthn encrypt -p "correct horse battery" secret.txt
# Encrypt with XChaCha20-Poly1305
lvthn encrypt --cipher chacha -p "correct horse battery" secret.txt
# Encrypt with AES-256-GCM-SIV
lvthn encrypt --cipher aes -p "correct horse battery" secret.txt
# Encrypt with a keyfile
lvthn encrypt -k my.key secret.txt secret.enc
# Encrypt from stdin, armored output
cat secret.txt | lvthn encrypt -k my.key --armor > secret.enc
# Decrypt (cipher is detected automatically from the file)
lvthn decrypt -p "correct horse battery" secret.enc
lvthn decrypt -k my.key secret.enc decrypted.txt
# Generate a 256-bit keyfile
lvthn keygen
lvthn keygen --armor -o my.key
On decrypt, the --cipher flag is not needed. The cipher byte in the file
header tells lvthn which algorithm was used.
| Flag | Cipher | Authentication | Throughput |
|---|---|---|---|
--cipher serpent (default) | Serpent-256-CBC | HMAC-SHA256 per chunk | ~135 MB/s |
--cipher chacha | XChaCha20 | Poly1305 per chunk | ~565 MB/s |
--cipher aes | AES-256-GCM-SIV | POLYVAL per chunk + key commitment | hardware-dependent |
Serpent has a larger security margin (32 rounds versus 20) at the cost of speed. ChaCha20-Poly1305 is the choice of TLS 1.3 and WireGuard. AES-GCM-SIV (RFC 8452) is nonce-misuse-resistant and benefits from hardware AES instructions where available. All three are good; pick based on your threat model and throughput requirements.
Throughput figures are approximate, measured pre-SIMD on Apple Silicon. Current leviathan-crypto releases include SIMD-accelerated paths for both ciphers, so actual numbers run higher on SIMD-capable hardware and vary by platform.
All three ciphers share the same outer format, the same scrypt key derivation,
and the same keyfiles. A key generated with lvthn keygen works with any cipher.
Requires Bun.
bun install
bun bake
# → dist/lvthn
lvthn ships completion support for bash, zsh, fish, and PowerShell.
# zsh
echo 'source <(lvthn completion zsh)' >> ~/.zshrc
# or drop into a fpath directory
lvthn completion zsh > $(brew --prefix)/share/zsh/site-functions/_lvthn
# bash
lvthn completion bash > /usr/local/etc/bash_completion.d/lvthn
# fish
lvthn completion fish > ~/.config/fish/completions/lvthn.fish
# PowerShell
lvthn completion pwsh >> $PROFILE
Completions cover subcommands, flags, cipher values, and file paths. The
--passphrase and --keyfile flags are mutually exclusive; once one is used the
other is suppressed from suggestions.
LVTHN v3 binary format, shared with the web demo. The cipher byte at offset 6 of the header drives decryption automatically. See FORMAT.md for the full wire specification, including the pool preamble layout and the counter-nonce scheme.
hardwareConcurrency. Each worker owns an isolated WASM
instance with no shared memory between workers.Leviathan and its demos are written under the MIT license.
▄▄▄▄▄▄▄▄▄▄
▄████████████████████▄▄
▄██████████████████████ ▀████▄
▄█████████▀▀▀ ▀███████▄▄███████▌
▐████████▀ ▄▄▄▄ ▀████████▀██▀█▌
████████ ███▀▀ ████▀ █▀ █▀
███████▌ ▀██▀ ██
███████ ▀███ ▀██ ▀█▄
▀██████ ▄▄██ ▀▀ ██▄
▀█████▄ ▄██▄ ▄▀▄▀
▀████▄ ▄██▄
▐████ ▐███
▄▄██████████ ▐███ ▄▄
▄██▀▀▀▀▀▀▀▀▀▀ ▄████ ▄██▀
▄▀ ▄▄█████████▄▄ ▀▀▀▀▀ ▄███
▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀
████▀ ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀ ▄▄▄▄
█████▄▄█████▀▀▀▀▀▀▄ ▀███▄ ▄███▀
▀██████▀ ▀████▄▄▄████▀
▀█████▀
FAQs
Command-line file encryption with paranoid-grade ciphers. Serpent-256-CBC and XChaCha20-Poly1305, WASM-SIMD accelerated, powered by leviathan-crypto.
The npm package lvthn receives a total of 25 weekly downloads. As such, lvthn popularity was classified as not popular.
We found that lvthn demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
The North Korean malware loader hides in a Packagist-listed package and its GitHub branch to fetch and execute remote code in a likely Contagious Interview-style lure.
Security News
The Rust project is moving toward formal rules on LLM use in contributions after months of internal debate over maintainer burden, code quality, and contributor experience.
Research
/Security News
A malicious NuGet package impersonating Sicoob exfiltrated client IDs, PFX passwords, and banking certificates through Sentry telemetry.