Safe Vault (beta)
Enter your master password
Safe Vault is in Beta
This app is under active development. You may run into some issues:
- • Data loss: updates may reset the vault in extreme edge cases
- • AI responses may be slow or fail occasionally
- • Large file uploads may stall on slow connections
- • Some AI models may be temporarily unavailable
- • Data may not sync immediately across devices
Safe Vault (beta)
Your vault is empty
Tap + to add your first item
New item
✨ AI Tools
AI Model
🛡️ Safe Vault Security Guide
🛡️ Security guide + live vault audit
This panel now explains how Safe Vault really protects data, where the limits are, and what needs attention in your current vault.
Vault status
Checking…
Open this panel after unlocking to inspect the current vault.
Hardening update
Security & stability sweep
Lockout persistence, safer URLs, file checks, data sanitization and more.
Reality check
Honest security notes
This app encrypts stored vault data, but no client-side vault is invincible if a compromised device or weak master password is involved.
🚧 Beta and audit notes
This release includes a broad hardening pass focused on security debt, edge cases and misleading copy. Not every issue becomes a visible bug, so the remaining low-risk items were converted into guardrails, warnings and stricter validation.
📋 Live audit findings
Unlock the vault to generate live findings for weak passwords, duplicate usernames, risky URLs and data hygiene issues.
🔐 How the security system works
1. Your master password is never stored in plain text. The app derives cryptographic keys from it and stores only verification data plus encrypted vault payloads.
2. Vault data is encrypted before storage. Current vaults use AES-256-GCM for authenticated encryption, a PBKDF2-SHA-512 password stretch with 500,000 iterations, then HKDF-SHA-512 for key separation.
3. Integrity is checked. In addition to AES-GCM authentication, the current format also stores an HMAC-SHA-256 over the ciphertext so corrupted or tampered vault payloads are rejected.
4. Each vault uses fresh randomness. New vault writes generate a 384-bit salt and a 192-bit nonce layout, reducing reuse risks across encryptions.
5. Legacy vaults are still supported. Older formats can still unlock, then migrate forward after successful access so people are not locked out by upgrades.
🧱 Protections in this build
- • Vault auto-lock after 15 minutes of inactivity
- • Brute-force lockout after repeated failed attempts
- • Password clipboard auto-clear after 30 seconds
- • Strict username uniqueness for password entries
- • Safer link opening with noopener,noreferrer
- • File size and type validation before upload
- • Data sanitization for loaded vault items
- • AI password analysis sends metadata, not the raw password
🤖 What AI can and cannot see
Passwords are not sent to AI for analysis. The app sends structural metadata only, such as length and character variety.
Notes, document text, and photo OCR/description requests are only sent when you explicitly use those AI actions.
Model quality and privacy vary. AI responses can be slow, fail, or produce inaccurate summaries. Review outputs before saving them.
⚠️ Threat model and limits
- • If someone fully compromises your device or browser session while the vault is unlocked, encryption cannot fully protect you.
- • If you forget the master password, there is no recovery path inside this app.
- • Exported backups may contain sensitive information. Store them like cash or private keys.
- • Client-side crypto improves privacy, but it does not replace device hygiene, OS updates, screen locks and phishing awareness.
🛠️ Big hardening update: what changed
• Fixed misleading security copy so the guide matches the real cryptography used by the app.
• Added a live audit summary to surface weak spots instead of hiding them.
• Improved validation for URLs, uploaded files, and loaded item schemas.
• Reduced brute-force bypass risk by persisting temporary lockout state.
• Added safer handling for malformed vault data and suspicious legacy records.
📦 Item types and safe usage
🔑 Passwords — require a unique username, support strong password generation, and keep copy actions temporary.
📝 Notes — good for recovery instructions, personal records and secure text snippets.
🖼️ Photos — can be described or scanned for visible text with AI when you choose.
📄 Documents — can store reference files and generate AI summaries on demand.
💡 Practical safety tips
- ⌨️ Press Esc to close open windows
- 🧠 Use a long passphrase you can remember instead of a short complex password you will forget
- ⚡ Prefer generated passwords for important accounts
- 🏷️ Add tags so you can find items without putting sensitive data in titles
- ⬇️ Keep offline backups of anything you cannot afford to lose
- 🔒 Lock the vault before handing your phone or computer to someone else
Choose AI model
OpenAI · Google · Anthropic
Delete this item?
This action cannot be undone.
Change master password
Vault will be fully re-encrypted
Recovery options
Try access checks before resetting anything.