Build from source
Compile LUKSbox yourself, run the test vectors, verify reproducible-build hashes.
Prerequisites
| Tool | Version | Why |
|---|---|---|
| Rust toolchain | 1.88+ | Workspace MSRV |
pkg-config |
any | Discovers system libfido2 + libfuse |
clang |
any | Used by bindgen to regenerate libfido2 bindings at build time |
libfido2-dev |
1.10+ | Headers for the FIDO2 path |
libfuse3-dev |
3.10+ | Headers for the FUSE mount path on Linux |
On a fresh Debian / Ubuntu:
sudo apt install -y build-essential pkg-config clang \
libfido2-dev libssl-dev libudev-dev zlib1g-dev libfuse3-dev
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Clone + build
git clone https://github.com/penthertz/LUKSbox.git
cd LUKSbox
# CLI
cargo build --release -p luksbox-cli
# GUI (egui)
cargo build --release -p luksbox-gui
# Software-only build (no libfido2, no FUSE - useful for sandboxes)
cargo build --release --no-default-features
The release binaries land in target/release/.
Run the test suite
cargo test --workspace # 195 tests as of round 8
cargo audit # zero advisories on Linux/macOS
The hardware-FIDO2 tests are gated behind --features hardware and
require a real plugged-in authenticator. See
TESTING.md
for the full hardware test matrix.
Cross-compile to all platforms
The scripts/build_release.sh script builds all 5 release targets
from a single Linux host using cross:
| Target | Output |
|---|---|
x86_64-unknown-linux-gnu |
Linux amd64 .tar.gz |
aarch64-unknown-linux-gnu |
Linux arm64 .tar.gz |
x86_64-apple-darwin |
macOS Intel .tar.gz (universal slice) |
aarch64-apple-darwin |
macOS Apple Silicon .tar.gz (universal slice) |
x86_64-pc-windows-msvc |
Windows .msi + portable .zip |
./scripts/build_release.sh v0.4.0
# Produces dist/<target>/luksbox-* artifacts + dist/SHA256SUMS.txt
Verify a release was built reproducibly
LUKSbox aims for reproducible builds. To verify a published release matches what the source produces:
# Build the same tag the release was cut from
git checkout v0.4.0
./scripts/build_release.sh v0.4.0
# Hash your local build
sha256sum dist/x86_64-unknown-linux-gnu/luksbox
# Hash the official release
curl -L -O https://github.com/penthertz/LUKSbox/releases/download/v0.4.0/luksbox-x86_64-unknown-linux-gnu.tar.gz
tar -xzf luksbox-x86_64-unknown-linux-gnu.tar.gz
sha256sum luksbox
# These two should be identical.
If they differ: file an issue. Reproducible builds are a hard property to maintain and we want to know about regressions.
Toolchain-pinning for security-critical builds
For air-gapped or compliance-critical environments, pin the exact
Rust toolchain version + every dependency hash via the workspace
Cargo.lock:
# Fail the build if Cargo.lock is stale relative to Cargo.toml
cargo check --locked
# Or generate a frozen vendored copy of every dep
cargo vendor > .cargo/config.toml
# Then commit .cargo/config.toml + vendor/ to your internal mirror
Build the docs site
This site (the one you're reading) is built with Hugo:
cd LUKSbox\ website/hugo
hugo serve # local preview at http://localhost:1313/
hugo # production build into ./public/
See LUKSbox_website/hugo/README.md for the full docs-build
workflow.