Crypto-steganography toolkit. Hide encrypted messages inside ordinary files.
Stegcore combines cryptography and steganography. It encrypts your payload and hides the ciphertext inside an ordinary image or audio file. The result looks and sounds completely normal. Only someone with the correct passphrase and key file can recover what's inside.
Unlike basic steganography tools that hide data without encrypting it, Stegcore ensures the payload is unreadable even if someone extracts it. Unlike basic encryption tools, Stegcore ensures the payload isn't even visible.
Three ciphers: Ascon-128 (NIST lightweight standard), ChaCha20-Poly1305, and AES-256-GCM. All use Argon2id key derivation.
Adaptive LSB steganography: Payload bits are scattered across high-entropy, high-texture regions of the cover image using spread spectrum techniques, making detection significantly harder than standard LSB.
Deniable dual payload: Embed two separately encrypted payloads into one cover image. One passphrase reveals the real message; another reveals a plausible decoy. Neither key file identifies itself.
Multiple formats: PNG and BMP via adaptive or sequential LSB, JPEG via pixel-domain LSB (output saved as PNG), WAV via audio sample LSB.
Cover image scoring: Before embedding, Stegcore scores the cover on entropy, texture density, and resolution. Poor covers are flagged before you commit.
Zstandard compression: Payloads are compressed before encryption, improving both capacity efficiency and entropy uniformity.
Desktop GUI: A step-by-step interface with dark and light modes.
Full CLI with two modes:
- Wizard mode: Guided step-by-step prompts, ideal if you're new to the terminal. Run
stegcore wizard. - Power mode: Single-line commands with flags for scripting and experienced users.
| Feature | Stegcore | Steghide | OpenPuff | Invisible Secrets |
|---|---|---|---|---|
| Licence | AGPL-3.0 (free) | GPL (free) | Freeware | Commercial (paid) |
| Platform | Windows, Linux, macOS | Linux, Windows | Windows only | Windows only |
| Encryption | Ascon-128, ChaCha20-Poly1305, AES-256-GCM | Rijndael (AES-128) | 16 algorithms incl. AES, Serpent, Twofish | AES, Blowfish, Twofish, RC4 |
| Key derivation | Argon2id (memory-hard, OWASP recommended) | MD5-based | KDF4 (proprietary) | None documented |
| Authenticated encryption (AEAD) | ✅ All ciphers | ❌ | ❌ | ❌ |
| Deniable dual payload | ✅ | ❌ | ✅ | ❌ |
| Cover scoring | ✅ | ❌ | ❌ | ❌ |
| Adaptive LSB (spread spectrum) | ✅ | ❌ | ✅ (non-linear encoding) | ❌ |
| Image formats | PNG, BMP, JPEG | JPEG, BMP | BMP, PNG, JPG, TGA | BMP, PNG, JPG |
| Audio formats | WAV | WAV, AU | MP3, WAV | WAV |
| Video formats | ❌ | ❌ | MP4, AVI, VOB, FLV | ❌ |
| Multi-carrier chaining | ❌ | ❌ | ✅ | ❌ |
| Digital watermarking | ❌ | ❌ | ✅ | ❌ |
| GUI | ✅ Dark + light, cross-platform | ❌ | ✅ Windows | ✅ Windows |
| CLI / scripting support | ✅ Full, with --force flag |
✅ | ❌ | ❌ |
| Wizard / guided mode | ✅ | ❌ | ❌ | ❌ |
| Native binary (no runtime) | ✅ | ✅ | ✅ | ✅ |
| Password manager | ❌ | ❌ | ❌ | ✅ |
| Self-decrypting packages | ❌ | ❌ | ❌ | ✅ |
| Detectable by stegdetect | Adaptive: hard. Sequential: yes | ✅ Known signatures | Partially (video fingerprint known) | ✅ Known signatures |
| Active development | ✅ 2026 | ❌ Last updated 2003 | ||
| Kali Linux included | Targeting | ✅ Default | ❌ | ❌ |
Steghide has been Kali’s default steganography tool for years largely through inertia. It uses MD5 derived keys with no authentication and has not been updated since 2003, though it does support DCT domain JPEG embedding. OpenPuff is technically more advanced with multi carrier support and adaptive encoding, but it is Windows only, lacks a CLI, and does not use authenticated encryption. Invisible Secrets is a commercial Windows privacy suite with bundled tools, though its steganography is basic LSB. Stegcore instead focuses on a modern, cross platform CLI with AEAD encryption, clean failure on wrong passphrases, and simple scriptable workflows aimed at replacing decent, but ageing tools.
From source:
git clone https://github.com/elementmerc/stegcore.git
cd stegcore
pip install -e .Dependencies only:
pip install customtkinter Pillow numpy ascon cryptography argon2-cffi pyzstd typer richPre-built binaries are available on the releases page for Windows, Linux, and macOS. No Python required.
New to the terminal? Use the wizard:
stegcore wizardThe wizard walks you through everything step by step from cover selection, scoring, cipher choice, passphrase, and embedding. No flags needed.
GUI:
stegcore-gui
# or directly:
python main.pyPower-user CLI:
# Score a cover image
stegcore score photo.png
# Embed
stegcore embed photo.png secret.txt stego.png
# Extract
stegcore extract stego.png stego.key.json recovered.txt
# Inspect a key file
stegcore info stego.key.json
# List ciphers
stegcore ciphers
# Full help
stegcore --help
stegcore embed --helpSee USAGE.md for the complete CLI reference.
secret.txt
│
▼
[ Argon2id key derivation (passphrase + random salt) ]
│
▼
[ Zstandard compress payload ]
│
▼
[ Encrypt: Ascon-128 / ChaCha20-Poly1305 / AES-256-GCM ]
│
▼
[ Score cover image — entropy, texture, capacity ]
│
▼
[ Adaptive LSB / WAV sample embedding ]
│
▼
stego.png + stego.key.json
The key file contains only the nonce, salt, cipher name, and steg metadata. Never change the passphrase or derived key. Without both the key file and the correct passphrase, extraction isn't possible.
| Format | Algorithm | Notes |
|---|---|---|
| PNG | Adaptive LSB + spread spectrum | Best capacity and concealment |
| BMP | Adaptive LSB + spread spectrum | Lossless, same as PNG |
| JPEG | Pixel-domain LSB (output saved as PNG) | Use your .jpg photos directly. No conversion needed |
| WAV | Audio sample LSB | PCM audio only |
Two payloads, one cover file. Two key files produced that are structurally identical, neither self-identifying as real or fake.
stegcore embed cover.png real_message.txt stego.png --deniable
# Wizard mode will ask you about this interactively.Under coercion you hand over the decoy key file and decoy passphrase. The real message remains inaccessible and undetectable.
stegcore/
├── main.py # Unified entrypoint — CLI or GUI based on argv[0]
├── cli.py # CLI commands (wizard + power mode)
├── pyproject.toml
├── core/
│ ├── crypto.py # Encryption, key derivation, key file I/O
│ ├── steg.py # Steganographic embed/extract, cover scoring
│ └── utils.py # Shared helpers
├── ui/
│ ├── theme.py # Theme definitions and switcher
│ ├── app.py # Main window and navigation
│ ├── embed_flow.py # 4-step embed wizard
│ └── extract_flow.py # 3-step extract wizard
└── assets/
└── Stag.ico
See ARCHITECTURE.md for a full technical breakdown.
Stegcore is a defensive privacy tool. See SECURITY.md for the full threat model, honest limitations, and responsible use guidance.
Stegcore v3 is a work in progress, and extends the free version with:
- Built-in steganalysis self-test
- PDF and DOCX cover format support
- Batch processing and scripting API
GNU Affero General Public Licence v3.0
Free to use, study, modify, and distribute under the terms of the AGPL-3.0. If you deploy a modified version as a network service, you must make the modified source available.