Hide. Encrypt.
Protect.

A lightweight CLI tool that appends AES-256 encrypted data to any carrier file. Images, videos, and PDFs remain fully functional while hiding your secrets.

Active Session: stego-cli

$ stego hide photo.jpg secret.txt -o hidden.jpg

> Enter encryption password:

> Confirm encryption password:

$ stego scan hidden.jpg

> Payload detected (AES-256-CBC)

$ stego show hidden.jpg -o recovered/

> Extraction complete. SHA-256 verified.

AES-256 Security

PBKDF2-HMAC-SHA256, 100,000 iterations, random 16-byte salt per encryption.

Universal Carriers

Works with any file format — JPG, MP4, PDF, and more.

Non-Destructive

Data is appended after the carrier's original bytes. The file still opens normally.

Installation

System-wide requires sudo

Installs to /usr/local/share/stego/ and registers the stego command in /usr/local/bin/. If already installed, it prompts to update.

$ sudo bash install.sh

To uninstall:

$ sudo rm -rf /usr/local/share/stego

$ sudo rm -f /usr/local/bin/stego

No install any user

Run directly from the cloned repo — no sudo needed. Only one dependency required.

$ pip3 install cryptography

$ python3 cli/cli.py --help

Commands

stego hide — encrypt and embed data in a carrier file

# Hide a single file
$ stego hide photo.jpg secret.txt -o hidden.jpg

# Hide an entire folder
$ stego hide photo.jpg secrets/ -o hidden.jpg

Argument	Description
carrier	The carrier file (image, video, PDF, etc.)
data	File or folder to hide
-o FILE	Output file (required)
-p PASSWORD	Password — skips confirmation prompt, use with care
-v	Verbose output

Password confirmation Without -p, you will be prompted to enter and confirm:
> Enter encryption password:
> Confirm encryption password:

stego show — decrypt and extract hidden data

$ stego show hidden.jpg -o recovered/

The output folder will contain:

recovered/
├── data/ ← your extracted files
└── original/ ← clean carrier file

Flag	Description
-o FOLDER	Output folder (required)
-p PASSWORD	Password (prompted if omitted)
-v	Verbose output

stego scan — detect hidden data in files

$ stego scan hidden.jpg

$ stego scan ~/Downloads -r -v

Flag	Description
-r	Scan subdirectories recursively
-a	Include hidden files (dotfiles)
-v	Verbose output

Do not modify the output file

Hidden data is appended after the carrier's original bytes. Any operation that rewrites the file will destroy it.

Unsafe — destroys hidden data

Opening in an image editor and saving
Compressing or optimising the file
Converting to another format
Uploading to social media

Safe — preserves hidden data

Copying or moving the file (cp, mv)
Viewing without saving
Transferring via USB, SCP, rsync
Running stego scan to verify

Security notes

Encryption: AES-256-CBC with PKCS7 padding.

Key derivation: PBKDF2-HMAC-SHA256, 100,000 iterations, random 16-byte salt.

Integrity: SHA-256 checksum verified on every extraction.

Detectability: Hidden data is detectable with stego scan. This tool provides encryption, not invisibility.

Hide. Encrypt.Protect.