ZeroEcho Command-Line App

The ZeroEcho CLI is a streaming, security-first front end built on the lib module. It exposes practical workflows for key management, hybrid/KEM envelopes, multi-recipient protection, and covert payload embedding in JPEG EXIF metadata. The app favors explicit configuration, safe defaults, and pipelines that avoid materializing large payloads.

Commands

• guard - multi-recipient envelopes (public keys and/or passwords) with AES or ChaCha payloads.
• kem - hybrid encryption: derive a content key via a KEM (e.g., Kyber), then encrypt the payload (AES/ChaCha).
• keystore - manage a human-editable text keyring: list, generate, import, export.
• covert - embed or extract a binary payload in JPEG EXIF fields using configurable slots.

Global usage

Each command supports --help for exact flags and examples. Inputs and outputs are streamed; large files do not need to be fully loaded in memory.

I/O conventions

• Streams are processed lazily; errors in verification surface at end of stream.
• Authenticated modes (AES-GCM, ChaCha20-Poly1305) are the default where applicable.
• For hybrid flows, shared secrets from agreement/KEM are fed through a KDF before use.

Keyring format

The keyring is a compact UTF-8 text file of entries with algorithm id, spec class, and encoded material. It is intended to be versionable by humans but must be treated as sensitive data.

Security notes

• Prefer authenticated encryption and strong KEM parameter sets.
• Protect keyrings with OS permissions; avoid committing them to VCS.
• Export encrypted content when targeting untrusted destinations; do not embed secrets in cleartext scripts.

Exit codes and logging

• Commands return 0 on success; non-zero indicates failure.
• Errors go to STDERR; enable verbose logging for diagnostics as needed.

Examples (illustrative)

# Generate a signing key into a text keyring
zeroecho keystore --keyring keyring.txt --generate --alg Ed25519 --alias signing

# Hybrid envelope with a KEM-derived content key and AES-GCM payload
zeroecho kem --encrypt --keyring keyring.txt --recipient alice --kem Kyber-768 --symmetric aes-gcm --tag-bits 128

# Multi-recipient envelope (password + public key)
zeroecho guard --encrypt --keyring keyring.txt --to-password s3cret --to-alias bob

# Covert EXIF embedding
zeroecho covert --embed --jpeg in.jpg --payload secret.bin --slots exif.usercomment --output out.jpg

System requirements

• Java 21 or newer.
• At least one JCA provider supplying the selected algorithms (e.g., JDK defaults, Bouncy Castle, a PQC provider).