STIM Encrypted Containers (RFC-0018)

Lethean R&D Labs

RFC Containers Encryption Security

STIM (Secure TIM) wraps TIM containers in ChaCha20-Poly1305 encryption. Distribute and execute containers without exposing contents. Config and rootfs encrypted separately for flexibility.

View on Forge Report issue

Features

Authenticated Encryption

ChaCha20-Poly1305 for confidentiality and integrity

Separate Encryption

Config and rootfs encrypted independently

Direct Execution

Decrypt and run without persistent decrypted files

Secure Transport

Safe to distribute via untrusted channels

Installation

# Encrypt TIM to STIM
borg tim encrypt app.tim -p "password" -o app.stim

# Run encrypted container directly
borg run app.stim -p "password"

Usage

STIM Structure

┌─────────────────────────────────────┐
│ Magic: "STIM" (4 bytes)             │
├─────────────────────────────────────┤
│ Trix Header (JSON)                  │
│  - encryption_algorithm             │
│  - tim: true                        │
│  - config_size: uint32              │
│  - rootfs_size: uint32              │
├─────────────────────────────────────┤
│ [config_size: 4 bytes BE uint32]    │
│ [encrypted config]                  │
│ [encrypted rootfs tar]              │
└─────────────────────────────────────┘

Quick Links

Repository Issues Pull Requests Releases

More from Lethean R&D Labs

View all projects →

Fancy helping out?

Spotted a bug? Got an idea? We'd love to hear from you.

Read the contributing guide →