LUKSbox v0.2.2
v0.2.2 | Released Jun 2026

Download LUKSbox

Reproducible binaries for Linux, macOS, and Windows. All releases are signed and verified.

macOS

Apple Silicon | Intel

Self-contained .dmg with libfido2 bundled using kext-free FUSE-T for mount.

Download .dmg (FUSE-T, default) Install guide

Codesigned + Apple-notarised (Developer ID Application: PENTHERTZ, team 456J2U7HQL). Both builds are the same Apple-notarised .app linked against a different FUSE backend at build time, the two are mutually exclusive on a single Mac, pick one. FUSE-T (default) is kext-free, no Recovery Mode dance, works the same on Intel and Apple Silicon; mount requires brew install --cask macos-fuse-t. macFUSE (legacy) ships a kernel extension; Apple Silicon Macs need a one-time Recovery Mode -> Startup Security Utility -> Reduced Security opt-in plus approval in System Settings -> Privacy & Security before the kext loads. Pick the macFUSE build only if you already use macFUSE for other tools. CLI / GUI / extract all work without either backend; only mount needs FUSE.

Linux

x86_64 | aarch64

Native .deb and .rpm packages with auto-resolved deps, plus a generic tarball with an install.sh for Arch / NixOS / Alpine.

Download .deb (Debian / Ubuntu) Download .rpm (Fedora / RHEL / Rocky) Download .tar.gz (generic) Install guide

Supports TPM 2.0. Native packages pull libfido2 + libfuse3 automatically. Generic tarball requires sudo apt install libfido2-1 libfuse3-3 (Debian/Ubuntu) or sudo dnf install libfido2 fuse3-libs (Fedora/RHEL) first.

Windows

x86_64 | Windows 11 22H2+

Self-extracting installer that bundles WinFsp 2.x + LUKSbox in one step. Routes FIDO2 through webauthn.dll, no admin required for the GUI.

Download installer (.exe, includes WinFsp) Plain .msi (admin / unattended) Portable .zip Install guide

Recommended: the -setup.exe bundle chains a WinFsp 2.0.23075 install (if not already present) and then installs LUKSbox. WinFsp is the kernel-mode filesystem driver required by the Mount as volume feature; the bundle ships the upstream Authenticode-signed WinFsp MSI. Plain .msi: for admins managing WinFsp separately (GPO / Chocolatey / Intune) or for unattended deploys via msiexec /i ... /qn; install WinFsp yourself first. Portable .zip: no installer, ships winfsp-x64.dll next to luksbox.exe for launch resolution but mount still needs WinFsp's kernel driver registered system-wide (run the WinFsp MSI separately). Windows SmartScreen will warn on first launch ('Windows protected your PC') because LUKSbox is not yet signed with an EV Authenticode certificate; click More info -> Run anyway. Subsequent launches are silent. See the Windows install guide for the full SmartScreen explainer + roadmap to EV signing.

Provenance

Verify your download

Every release artifact is signed via GitHub Artifact Attestations (Sigstore-backed) and hashed in SHA256SUMS.txt. The attestation proves the artifact came from the exact tagged workflow run on a GPG-signed commit, no human had a chance to swap it after the fact. Always verify before running unfamiliar binaries.

# Cryptographic provenance check (recommended). Requires the
# GitHub CLI: sudo apt install gh | sudo dnf install gh | brew install gh
gh attestation verify <downloaded-file> --owner penthertz

# Or an offline SHA-256 check, no `gh` needed:
curl -LO https://github.com/penthertz/LUKSbox/releases/latest/download/SHA256SUMS.txt
sha256sum -c SHA256SUMS.txt        # checks every file matches

Source code

The source is published on GitHub under the Apache License 2.0. OSI-approved open source - read, audit, build, modify, redistribute, even use it in a competing product. The Penthertz brand is reserved separately; see TRADEMARK.md.

git clone https://github.com/penthertz/LUKSbox.git
cd LUKSbox
cargo build --release -p luksbox-cli

See Build from source for the full toolchain requirements and reproducible-build verification.

Release channels

Channel What you get Where
Stable Tagged releases, signed binaries, audit-tracked GitHub Releases
Nightly Built from main daily; for testing only GitHub Actions artifacts
Source The canonical truth; build it yourself GitHub repository

Older versions

Every published release stays on GitHub Releases indefinitely. If you need an older version for compatibility with an existing vault file, it's there.

If you're upgrading and the on-disk format changed: LUKSbox vaults are backward-compatible by design. Older format slots (V1, V2 layout) remain readable by newer versions; new vaults default to the latest format. See the changelog for per-version notes.