Skip to content

Malwprotector/estsolstitiale

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
estsolstitiale.py
estsolstitiale.py
 
 
img.png
img.png
 
 
solstitialis01.jpeg
solstitialis01.jpeg
 
 

Repository files navigation

$ python3 estsolstitiale.py cli
First use detected.

===Estsolstitiale Configuration===


Directories used:
Base      : /home/user/estsolstitiale
Source    : /home/user/estsolstitiale/source
Encrypted : /home/user/OneDrive/encrypted
Decrypted : /home/user/estsolstitiale/decrypted
Config    : /home/user/estsolstitiale/config


Step 1: age private key
You need to provide the path to your existing age private key.
Common example: ~/.config/age/key.txt
$ Path to the age private key :

Estsolstitiale is a minimal privacy-oriented encrypted synchronization system for MS/OneDrive cloud.

It encrypts your local files with age before they are uploaded to OneDrive, then lets you decrypt them locally when needed. age is a simple, modern and secure file encryption tool with small explicit keys and Unix-style composability.

Estsolstitiale is designed for people who want the convenience of OneDrive synchronization without giving the OneDrive organization tenant readable access to the actual file contents.

Table of Contents

The Problem

Many schools, universities, companies, and institutions provide Microsoft 365 accounts with OneDrive storage.

This is convenient, but it creates an important privacy issue:

In an organization-managed OneDrive environment, your files are not protected with personal end-to-end encryption by default.

Microsoft 365 administrators and compliance teams can, depending on permissions and internal policy, search, preserve, export, or access content stored in OneDrive for Business through Microsoft Purview eDiscovery and related administrative tools. Microsoft documentation describes eDiscovery searches across OneDrive and SharePoint sites, including document and file properties.

Microsoft Q&A also states that an admin can access files stored in OneDrive for Business accounts in an organization in specific situations such as security or compliance investigations, and that the user may not necessarily receive a notification.

This does not mean that every admin is reading everyone’s files all the time. But it does mean that the organization’s OneDrive is not the same as a private encrypted vault controlled only by you.

For sensitive personal notes, academic documents, research files, administrative documents, private archives, or personal backups, this can be a concern.

What Estsolstitiale Solves

Estsolstitiale solves this problem by changing what OneDrive receives.

Instead of uploading readable files like:

document.pdf
notes.md
archive.zip
VID-2026-21-05.mp4

Estsolstitiale uploads encrypted files like:

document.pdf.age
notes.md.age
archive.zip.age
VID-2026-21-05.mp4.age

The clear files stay locally in:

~/estsolstitiale/source

The encrypted versions are written to:

~/OneDrive/encrypted

Then the normal OneDrive Linux client uploads only the encrypted .age files.

So the organization sees filenames and folder structure, but not the readable content of the files.

Why This Matters

Without Estsolstitiale:

Your file -> OneDrive cloud -> organization can potentially access content

With Estsolstitiale:

Your file -> local encryption -> encrypted .age file -> OneDrive cloud

Only the holder of the private age key can decrypt the files. age supports encrypting to public recipients and decrypting with an identity/private key file.

This makes OneDrive act more like a transport and storage layer, not a trusted private document vault.

The Name

Amphimallon solstitiale. © entomart

The name Estsolstitiale is inspired by Amphimallon solstitiale, also known as the summer chafer or European June beetle. This species belongs to the scarab family (Scarabaeidae), a group of beetles characterized by their hardened forewings (elytra), which form a protective outer covering. It is commonly associated with summer evenings, hedgerows, gardens, and dusk activity, where it emerges in large numbers and is often attracted to light.

The connection to the project comes from several of these traits. Like the beetle’s protective outer covering, Estsolstitiale wraps your files in a cryptographic shell before exposing them outside your system. Its nocturnal activity and attraction to light also mirror the idea of the software operating quietly in the background, interacting with external systems (like the cloud) without revealing sensitive things. Additionally, just as the larval stage develops hidden underground before emerging, your data remains protected and unseen until you explicitly choose to decrypt it.

Features

  • encrypt local files before OneDrive upload
  • decrypt encrypted files back into a local readable folder
  • keep encrypted cloud files synchronized with local source files
  • remove orphan encrypted files when source files are deleted
  • remove orphan decrypted files when encrypted files are deleted
  • dry-run mode to preview actions without modifying files
  • first-run setup wizard
  • terminal CLI mode
  • ultra-lightweight graphical interface
  • live logs in the GUI
  • atomic writes using temporary files
  • maximum file size protection
  • no custom database required
  • simple folder structure

Requirements

Required

You need Python 3:

python3 --version

You need age:

age --version

You need age-keygen if you want automatic public key detection:

age-keygen --help

You need the OneDrive Linux client if you want automatic upload to OneDrive:

onedrive --version

Estsolstitiale uses the onedrive Linux client to perform synchronization with Microsoft OneDrive. The abraunegg OneDrive client supports OneDrive Personal, OneDrive for Business, Office 365, SharePoint libraries, and several synchronization modes.

Optional for GUI

The graphical interface uses Python’s built-in tkinter.

Tkinter is the standard Python interface to Tcl/Tk, and Python documentation notes that running python -m tkinter should open a small test window when Tkinter is correctly installed.

Installation

Download or clone the project:

git clone https://github.com/Malwprotector/estsolstitiale.git
cd estsolstitiale

Make the script executable:

chmod +x estsolstitiale.py

Run it:

./estsolstitiale.py

or:

python3 estsolstitiale.py

Linux Tutorial

This is the recommended platform because the script currently uses the Linux onedrive client.

The abraunegg OneDrive client supports major Linux distributions and OneDrive Personal, OneDrive for Business, Microsoft 365, and SharePoint libraries.

Debian / Ubuntu / Linux Mint / Pop!_OS

Install Python, Tkinter, age:

sudo apt update
sudo apt install python3 python3-tk age

Tkinter may need to be installed as python3-tk on Ubuntu and Debian-based distributions.

Install the OneDrive client.

For Ubuntu-based distributions, the upstream project recommends using the correct supported packages rather than outdated default repository versions. Then check:

python3 --version
age --version
age-keygen --help
onedrive --version

Authenticate OneDrive:

onedrive

Follow the login URL shown in the terminal.

Then test synchronization:

onedrive --synchronize --verbose

Run Estsolstitiale:

python3 estsolstitiale.py

Fedora

Install Python, Tkinter, age, and OneDrive:

sudo dnf install python3 python3-tkinter age onedrive

Fedora uses the python3-tkinter package name for Tkinter.

Check:

python3 --version
age --version
onedrive --version

Authenticate OneDrive:

onedrive

Run:

python3 estsolstitiale.py

Arch Linux / Manjaro

Install Python, Tkinter, and age:

sudo pacman -Syu python tk age

For the OneDrive client, the upstream installation documentation mentions the Arch User Repository package onedrive-abraunegg.

Using an AUR helper such as yay:

yay -S onedrive-abraunegg

Check:

python --version
age --version
onedrive --version

Run:

python estsolstitiale.py

macOS Tutorial

macOS can run the GUI and the encryption logic, and age is available through Homebrew.

However, the current script expects the Linux onedrive command for automatic upload. On macOS, you have two practical options:

  1. use Estsolstitiale with --no-upload, then sync the encrypted folder manually with the official OneDrive app
  2. adapt the encrypted path to your local OneDrive folder and avoid calling the Linux onedrive client

Install Homebrew

If Homebrew is not installed, install it from:

https://brew.sh

Install age

brew install age

Homebrew provides an age formula for macOS and Linux. [deepwiki.com]

Check Python and Tkinter

macOS Python builds often include Tkinter, and Python documentation states that python -m tkinter can be used to verify Tkinter installation.

Test:

python3 -m tkinter

If a small window appears, Tkinter works.

Run Estsolstitiale

python3 estsolstitiale.py gui

Encrypt without Linux OneDrive upload

python3 estsolstitiale.py encrypt --no-upload

Then make sure your encrypted folder is inside your OneDrive-synced directory, or manually move/sync the encrypted .age files.

Windows / WSL Tutorial

The recommended Windows setup is WSL2, because Estsolstitiale currently expects Linux-style paths and the Linux onedrive client.

age itself is cross-platform and can be installed on Windows through package managers such as Chocolatey or Scoop according to installation references.

But for the full Estsolstitiale workflow with the onedrive CLI, use WSL.

Step 1: Install WSL2

Open PowerShell as Administrator:

wsl --install

Restart if required.

Install Ubuntu from the Microsoft Store if it was not installed automatically.

Open Ubuntu.

Step 2: Install dependencies inside WSL

Inside Ubuntu/WSL:

sudo apt update
sudo apt install python3 python3-tk age

Install the supported OneDrive Linux client following the upstream client documentation. The upstream documentation recommends supported packages for Debian/Ubuntu-based distributions rather than outdated default repository versions.

Step 3: Authenticate OneDrive

Inside WSL:

onedrive

Follow the login URL.

Then test:

onedrive --synchronize --verbose

Step 4: Run Estsolstitiale

python3 estsolstitiale.py

Important note for Windows users

The official Windows OneDrive client and the Linux onedrive CLI are different tools.

If you want to use the native Windows OneDrive app instead of the Linux CLI, you should run:

python3 estsolstitiale.py encrypt --no-upload

Then make sure the encrypted output folder is placed inside a Windows OneDrive-synced directory.

Directory Structure

Estsolstitiale uses this local structure:

~/estsolstitiale/
├── source/
├── decrypted/
└── config/
    ├── public_key.txt
    └── age_key.txt

And this OneDrive-side folder:

~/OneDrive/encrypted/

Meaning of each folder

~/estsolstitiale/source

This is where you put the original readable files.

~/OneDrive/encrypted

This is where Estsolstitiale writes encrypted .age files.

~/estsolstitiale/decrypted

This is where decrypted files are restored when you run decrypt.

~/estsolstitiale/config

This stores the age public key and copied private key.

First Run

By default, running the script without arguments starts the graphical interface:

python3 estsolstitiale.py

If no configuration exists yet, click:

Setup

The setup asks for:

  • your age private key
  • your age public key

If age-keygen is installed, Estsolstitiale can detect the public key from the private key automatically.

You can also run setup from the terminal:

python3 estsolstitiale.py setup

To force setup again:

python3 estsolstitiale.py setup --force

To delete the configuration:

python3 estsolstitiale.py reset-config

Generating an age Key

If you do not already have an age key:

mkdir -p ~/.config/age
age-keygen -o ~/.config/age/key.txt

This prints a public key like:

Public key: age1...

Your private key is stored in:

~/.config/age/key.txt

During Estsolstitiale setup, provide that private key path.

The public key can be extracted later with:

age-keygen -y ~/.config/age/key.txt

The age-keygen -y workflow converts an identity/private key into the matching recipient/public key.

Running the Graphical Interface

Start the GUI:

python3 estsolstitiale.py

or:

python3 estsolstitiale.py gui

The GUI provides:

  • Encrypt + Sync
  • Decrypt
  • Dry Encrypt
  • Dry Decrypt
  • Setup
  • Open Source
  • Open Encrypted
  • Open Decrypted
  • live logs at the bottom

The GUI is intentionally minimal. It only wraps the same operations as the CLI.

Running in CLI Mode

To launch the terminal menu exactly like the classic script:

python3 estsolstitiale.py cli

You can also use:

python3 estsolstitiale.py menu

The menu provides:

1. Encrypt, sync and upload
2. Sync and decrypt
3. Dry-run encrypt
4. Dry-run decrypt
5. Reconfigure
6. Exit

Direct CLI Commands

Encrypt and upload:

python3 estsolstitiale.py encrypt

Encrypt without uploading:

python3 estsolstitiale.py encrypt --no-upload

Preview encryption without modifying files:

python3 estsolstitiale.py encrypt --dry-run --no-upload

Decrypt:

python3 estsolstitiale.py decrypt

Preview decryption:

python3 estsolstitiale.py decrypt --dry-run

Verbose logs:

python3 estsolstitiale.py encrypt --verbose

Setup:

python3 estsolstitiale.py setup

Force setup:

python3 estsolstitiale.py setup --force

Reset configuration:

python3 estsolstitiale.py reset-config

Typical Workflow

Put your readable files here:

~/estsolstitiale/source

Example:

~/estsolstitiale/source/
├── history/
│   └── course.pdf
├── notes/
│   └── private_notes.md
└── archive.zip

Run:

python3 estsolstitiale.py encrypt

Estsolstitiale creates:

~/OneDrive/encrypted/
├── history/
│   └── course.pdf.age
├── notes/
│   └── private_notes.md.age
└── archive.zip.age

Then it runs:

onedrive --synchronize --verbose

The OneDrive client uploads the encrypted .age files.

To restore readable files later:

python3 estsolstitiale.py decrypt

This creates:

~/estsolstitiale/decrypted/
├── history/
│   └── course.pdf
├── notes/
│   └── private_notes.md
└── archive.zip

Recovering Files if the Local Machine Is Lost

This is one of the most important parts of using Estsolstitiale.

If your computer is lost, broken, stolen, erased, or reinstalled, your readable local files in:

~/estsolstitiale/source

may be gone.

But if synchronization succeeded, your encrypted files should still exist online in OneDrive:

encrypted/*.age

You can recover them only if you still have your age private key.

Absolute rule

If you lose the private key, you lose the ability to decrypt the files.

The encrypted .age files stored online are intentionally unreadable without the private key. This is the point of the tool.

Therefore, you must back up this file:

~/estsolstitiale/config/age_key.txt

or the original age key, for example:

~/.config/age/key.txt

Recommended private key backups

Store at least one backup of the private key in a secure place, for example:

  • an encrypted USB drive
  • an offline external drive
  • a password manager that supports secure file attachments
  • a printed paper backup stored safely
  • a separate encrypted backup system

Do not store the private key in the same OneDrive folder as your encrypted files.

Do not put the private key in:

~/estsolstitiale/source

Do not put the private key in:

~/OneDrive/encrypted

If you upload the private key next to the encrypted files, you destroy the security model.

Recovery Scenario

Assume your old computer is gone.

You still have:

  • access to your OneDrive account
  • the encrypted .age files online
  • a backup of your private key

You can recover your files like this.

Step 1: Install Estsolstitiale on the new machine

Clone or copy the script again:

git clone https://github.com/your-user/estsolstitiale.git
cd estsolstitiale

or manually copy:

estsolstitiale.py

Step 2: Install dependencies

On Ubuntu/Debian:

sudo apt update
sudo apt install python3 python3-tk age

Install and configure the OneDrive Linux client as described above.

Step 3: Restore your private key

Create the config folder:

mkdir -p ~/estsolstitiale/config

Copy your backed-up private key:

cp /path/to/your/backup/age_key.txt ~/estsolstitiale/config/age_key.txt
chmod 600 ~/estsolstitiale/config/age_key.txt

Step 4: Recreate the public key file

Generate the public key from the private key:

age-keygen -y ~/estsolstitiale/config/age_key.txt > ~/estsolstitiale/config/public_key.txt

Check it:

cat ~/estsolstitiale/config/public_key.txt

It should start with:

age1

Step 5: Download encrypted files from OneDrive

If you use the Linux OneDrive client:

onedrive --synchronize --verbose

Make sure the encrypted files are present in:

~/OneDrive/encrypted

You should see files like:

document.pdf.age
notes.md.age
archive.zip.age

Step 6: Decrypt

Run:

python3 estsolstitiale.py decrypt

Your recovered readable files should appear in:

~/estsolstitiale/decrypted

Step 7: Optional: restore them as source files

If you want to continue using Estsolstitiale normally, you can copy the recovered files back into:

~/estsolstitiale/source

Example:

cp -a ~/estsolstitiale/decrypted/. ~/estsolstitiale/source/

Then future encryptions will work again.

Understanding How the Script Works

This section explains the internal logic precisely.

Configuration

The script defines a Config object containing:

base
source
encrypted
decrypted
config_dir
public_key_file
private_key_file
public_key

The default paths are:

base = ~/estsolstitiale
source = ~/estsolstitiale/source
encrypted = ~/OneDrive/encrypted
decrypted = ~/estsolstitiale/decrypted
config_dir = ~/estsolstitiale/config
public_key_file = ~/estsolstitiale/config/public_key.txt
private_key_file = ~/estsolstitiale/config/age_key.txt

The setup step creates these directories and stores:

public_key.txt
age_key.txt

The private key is copied into the config directory and its permissions are restricted to 600 when possible.

Public Key and Private Key

The public key is used to encrypt files.

The private key is used to decrypt files.

Encryption uses:

age -r PUBLIC_KEY -o output.age input

Decryption uses:

age -d -i age_key.txt -o output input.age

This matches the normal age model: encryption uses recipient public keys, and decryption uses identity/private key files.

Encryption Flow

When you run:

python3 estsolstitiale.py encrypt

the script does this:

  1. loads the configuration
  2. checks that age exists
  3. checks that onedrive exists unless --no-upload is used
  4. scans all files in:
~/estsolstitiale/source
  1. ignores files larger than MAX_SIZE
MAX_SIZE = 10 * 1024 * 1024 * 1024

That means 10 GB.

  1. for each source file, computes the matching encrypted path

Example:

~/estsolstitiale/source/folder/file.pdf

becomes:

~/OneDrive/encrypted/folder/file.pdf.age
  1. checks whether the encrypted file should be updated

A file is encrypted if:

  • the .age file does not exist
  • or the source file is newer than the encrypted file
  1. writes encryption output to a temporary file first

Example:

file.pdf.age.tmp
  1. if encryption succeeds, replaces the final .age file atomically

This avoids leaving broken encrypted files if encryption fails halfway.

  1. removes encrypted files that no longer have a matching source file

Example:

~/OneDrive/encrypted/old.pdf.age

is removed if:

~/estsolstitiale/source/old.pdf

does not exist.

  1. removes empty directories

  2. optionally runs OneDrive upload:

onedrive --synchronize --verbose

Decryption Flow

When you run:

python3 estsolstitiale.py decrypt

the script does this:

  1. loads the configuration
  2. checks that age exists
  3. scans all .age files in:
~/OneDrive/encrypted
  1. computes the matching decrypted path

Example:

~/OneDrive/encrypted/folder/file.pdf.age

becomes:

~/estsolstitiale/decrypted/folder/file.pdf
  1. skips files that are already up to date

A file is decrypted if:

  • the decrypted file does not exist
  • or the encrypted file is newer than the decrypted file
  1. writes decrypted output to a temporary file first

Example:

file.pdf.tmp

  1. if decryption succeeds, replaces the final decrypted file

  2. removes decrypted files that no longer have a matching encrypted .age file

  3. removes empty directories

Dry-Run Mode

Dry-run means:

show what would happen, but do not modify anything.

Example:

python3 estsolstitiale.py encrypt --dry-run --no-upload

In dry-run mode, the script does not:

  • encrypt files
  • decrypt files
  • delete orphan files
  • remove directories
  • upload to OneDrive

It only logs the actions it would perform.

This is useful before a first real run or before deleting/moving many files.

GUI Mode

The GUI uses tkinter.

It does not implement different logic. It calls the same Python functions as the CLI:

encrypt_sync()
decrypt_sync()
first_setup()
load_config()
ensure_directories()

Long tasks run in a background thread so the interface does not freeze.

Logs are redirected to a queue and displayed in the log area at the bottom of the window.

CLI Mode

The CLI mode uses argparse.

The command is parsed here:

parse_args()

Then routed through:

run_cli()

If the command is:

cli

or:

menu

the script opens the interactive terminal menu.

If the command is:

encrypt
decrypt
setup
reset-config

the script runs that action directly.

Security Model

Estsolstitiale protects file contents before they reach OneDrive.

It does not hide everything.

Protected

The following are encrypted:

  • document contents
  • PDF contents
  • text contents
  • images
  • archives
  • any file payload

Not Fully Protected

The following may still be visible to OneDrive or the organization:

  • filenames
  • folder names
  • file sizes
  • modification times
  • number of files
  • upload times
  • account metadata

Example:

Medical_Report.pdf.age

still reveals that a file probably relates to a medical report.

If that matters, rename files before encryption:

001.age
002.age
003.age

or store files inside an encrypted archive before putting them in source.

Privacy Limits

Estsolstitiale is not magic.

It does not:

  • make OneDrive anonymous
  • hide that you uploaded encrypted files
  • hide your account identity
  • hide file sizes
  • hide folder structure
  • protect files already uploaded unencrypted before using the tool
  • replace a full encrypted filesystem
  • replace operational security

It does one thing well:

It prevents OneDrive from receiving readable file contents.

Important Safety Notes

Keep your private key safe.

If you lose:

~/estsolstitiale/config/age_key.txt

and you have no backup, you may lose access to your encrypted files.

Back it up offline, for example:

cp ~/estsolstitiale/config/age_key.txt ~/secure-backup/age_key.txt

Do not upload your private key to OneDrive.

Do not put the private key inside:

~/estsolstitiale/source

Do not put the private key inside:

~/OneDrive/encrypted

The private key is the only thing that lets you recover your files from the encrypted online copies.

Recommended OneDrive Configuration

If you see errors like:

Stream error in the HTTP/2 framing layer

during upload, this is usually an issue with the OneDrive Linux client, HTTP/2, curl, or the network path.

A known workaround is to force HTTP/1.1 in the OneDrive client configuration:

force_http_11 = "true"

Edit:

nano ~/.config/onedrive/config

Add:

force_http_11 = "true"

Then run:

onedrive --synchronize --verbose

Troubleshooting

Command not found: age

Install age.

Debian / Ubuntu:

sudo apt install age

Arch:

sudo pacman -S age

Fedora:

sudo dnf install age

age is available through multiple operating system package managers, including apt, pacman, dnf, Homebrew, Chocolatey, and Scoop.

Command not found: onedrive

Install the OneDrive Linux client.

Then authenticate it:

onedrive

Follow the browser login instructions.

After authentication, test:

onedrive --synchronize --verbose

GUI does not start

Install Tkinter.

Debian / Ubuntu:

sudo apt install python3-tk

Fedora:

sudo dnf install python3-tkinter

Arch:

sudo pacman -S tk

Then retry:

python3 estsolstitiale.py gui

Tkinter can be tested with:

python3 -m tkinter

Python documentation says this command should open a small window when Tkinter is installed correctly.

Configuration not found

Run:

python3 estsolstitiale.py setup

or open the GUI and click:

Setup

Public key invalid

A valid age public key usually starts with:

age1

Example:

age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

You can derive it from your private key:

age-keygen -y ~/.config/age/key.txt

Private key invalid

A valid age private key file contains a line starting with:

AGE-SECRET-KEY-

If your file does not contain that, it is probably not an age private key.

Files are not uploaded

First encrypt without upload:

python3 estsolstitiale.py encrypt --no-upload

Then check:

~/OneDrive/encrypted

If .age files exist there, Estsolstitiale worked.

Then test OneDrive manually:

onedrive --synchronize --verbose

If that fails, the issue is likely with the OneDrive client configuration, not Estsolstitiale.

Example

Create a test file:

mkdir -p ~/estsolstitiale/source
echo "private note" > ~/estsolstitiale/source/note.txt

Encrypt:

python3 estsolstitiale.py encrypt --no-upload

You should see:

~/OneDrive/encrypted/note.txt.age

Decrypt:

python3 estsolstitiale.py decrypt

You should see:

~/estsolstitiale/decrypted/note.txt

Check content:

cat ~/estsolstitiale/decrypted/note.txt

Expected:

private note

About

Estsolstitiale is a minimal privacy-oriented encrypted synchronization system for MS cloud.

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages