Entrusted is a document sanitizer tool that converts ”potentially suspicious files” into safe PDFs:
- This is achieved by removing active content inside a “lightweight sandbox” (containerization)
- Please note that this tool doesn’t provide absolute security guarantees
Unless you use the live CD, you MUST install either Docker or Podman prior launching the program. On Mac OS, you need more specifically Docker Desktop.
Youtube presentation and PDF slides about Entrusted.
Key features include the following:
- Files are processed inside a “sandbox” (disabled internet connectivity)
- The application is multilingual (English and French translations for now)
- Password-protected files are supported (known Office document formats and PDF files)
- The sanitization of huge documents is frictionless
- Optionally, OCR can be applied to PDF results (selectable and searchable text)
- Files can be converted in batch (sequentially)
- PDF result quality is configurable (processing speed v.s. better looking output)
- A Web server with a user interface is available and can act as an “online service”
- The live CD provides both enhanced security and configuration convenience
Do you identify yourself in one of the situations below?
- I suspect that my computer might have been infected few times after opening documents
- I “acquire” documents from file sharing applications or the Dark Web
- I often need to open email attachments from unfamiliar senders
- I download files from “potentially non-trusted websites”
The following file types can be processed with Entrusted:
- PDF files (
.pdf) - Text Documents (
.rtf,.doc,.docx,.odt) - Presentations (
.ppt,.pptx,.odp) - Spreadsheets (
.xls,.xlsx,.ods) - Images (
.jpg,.jpeg,.gif,.png,.tif,.tiff) - OpenDocument Drawing Document Format (
.odg)
There are three user interfaces (Desktop and Command-Line, Web):
- The graphical Desktop interface is recommended for most users
- If you prefer the Web interface, please download the live CD for an out-of-the-box user experience:
- You can run the live CD with tools such as QEMU, VirtualBox, Hyper-V, VmWare, Parallels, etc.
- The Web interface can be accessed at the address
http://localhost:13000 - Replace
localhostby the IP address of your virtual machine in the above-mentioned link - You might need to map or forward port
13000depending on your virtualization solution network settings.
Please visit the releases page for downloads (64-bit: amd64/x86_64 and aarch64/arm64).
aarch64(i.e.,arm64) builds are not yet available for Windows- For Linux, when in doubt, pick the
glibcfile, unless you’re sure about your system- You cannot expect a binary built with musl libc to run with gnu libc (unless statically linked)
- Most of Linux distributions use
glibcas C implementation library (Ubuntu, Fedora, etc.) - Alpine Linux uses
musl. Some distributions provide amuslflavor (Void Linux, Gentoo, etc.)
- Ignore any warnings about trusting the application under Windows or Mac OS, the binaries are not signed
- Notes for Mac OS
- Notes for Windows: Click “Ignore” or “Run”, if you get a warning dialog.
| “System” | Artifact | Description |
|---|---|---|
Linux | entrusted-<version>-linux-amd64-glibc.deb | Desktop and CLI clients (Debian-Like distros) |
entrusted-<version>-linux-amd64-glibc.rpm | Desktop and CLI clients (Redhat-Like distros) | |
entrusted-<version>-linux-amd64-glibc.tar | Archive with all programs | |
entrusted-<version>-linux-amd64-musl.tar | Archive with all programs (musl libc) | |
entrusted-<version>-linux-aarch64-glibc.deb | Desktop and CLI clients (Debian-Like distros) | |
entrusted-<version>-linux-aarch64-glibc.rpm | Desktop and CLI clients (Redhat-Like distros) | |
entrusted-<version>-linux-aarch64-glibc.tar | Archive with all programs | |
entrusted-<version>-linux-aarch64-musl.tar | Archive with all programs (musl libc) | |
Mac OS | entrusted-<version>-macos-amd64.dmg | Installer with the Desktop and CLI clients |
entrusted-<version>-macos-amd64.zip | Archive with all programs | |
entrusted-<version>-macos-aarch64.dmg | Installer with the Desktop and CLI clients | |
entrusted-<version>-macos-aarch64.zip | Archive with all programs | |
Windows | entrusted-<version>-windows-amd64.exe | Installer with the Desktop and CLI clients |
entrusted-<version>-windows-amd64.zip | Archive with all programs | |
Live CD | entrusted-<version>-livecd-amd64.iso | Web interface Live CD for virtual machines |
entrusted-<version>-livecd-aarch64.iso | Web interface Live CD for virtual machines |
It is assumed that you can allocate at least 1 GB of memory for document processing.
- Operating System: Linux, Mac OS or Windows
- Container Runtime: Podman (Linux) or Docker (Linux, Mac OS, Windows). On Mac OS, you need more specifically Docker Desktop.
Conversions will fail if the container solution is not running or available in your “PATH settings”:
- The tool doesn’t attempt to modify software on your machine (install or change programs)
- The tool doesn’t attempt to manage software on your machine (start or stop services)
- Youtube presentation about
Entrusted(PDF slides here) - Dangerzone, the application that
Entrustedis originally based-on - Disabling file preview and thumbnails (Windows, Mac OS, Unix/Linux: Gnome, KDE, etc.)
- Security vulnerabilities for Podman, Docker
- Few general vulnerability scanning tools: lynis, ssh-audit
- Few container vulnerability scanning tools: Trivy, Clair, ThreatMapper