Security & Encryption
Every byte of your data is encrypted at rest with AES-256-GCM. Cloud sharing wraps item keys with RSA-4096-OAEP per recipient. Authentication uses SRP-6a so passwords never cross the wire.
Cryptographic primitives
| Layer | Algorithm | Where it lives |
|---|---|---|
| File-at-rest encryption | AES-256-GCM | Local files in ~/.vortex/ with the VXENC1 magic header. |
| Master key storage | OS keychain via Electron safeStorage | macOS Keychain · Windows DPAPI · libsecret on Linux. File-permission fallback if unavailable. |
| SSH host vault | AES-256-GCM (MPVAULT2 format) | Encrypted .mpvault files for migration / backup. |
| Vault sharing | RSA-4096-OAEP (item-key wrap) | Each recipient's pubkey wraps the item key client-side; servers see only encrypted blobs. |
| Password authentication | SRP-6a | Mutual auth without ever sending the password. |
| Vault password derivation | Argon2id | Tunable memory/time cost; salt per user. |
What's encrypted automatically
- Settings, SMTP captures, SSH hosts, snippets, FTP hosts, SQL connections, API clusters, AI config, cloud auth tokens, agent memory, embeddings.
- Plain JSON files left over from older versions are auto-migrated to encrypted form on first read.
- Per-user data lives under
~/.vortex/users/{userId}/; per-profile under~/.vortex-{profileName}/.
Electron hardening
contextIsolation: truesandbox: truewebSecurity: true- All IPC goes through the preload bridge — renderers cannot access Node directly.
- Email HTML iframes are sandboxed (
allow-same-origin allow-popups); HTTP links open in the system browser. - OAuth (Google, GitHub) opens a separate
BrowserWindowwith nonodeIntegration.
Local execution safety
- The Tinker REPL only allows whitelisted commands (
ls,find) with strict argument validation; no shell interpretation. - Dangerous shell metacharacters in args are rejected.
- Protected directories (
.ssh,/etc,.gnupg,.vortex) are blocked from reads. - Path traversal (
..) is blocked byisPathSafe().
Network & transport
- HTTPS enforced for any non-localhost cloud server URL.
- Self-signed certs supported in the API client (
rejectUnauthorized: false) opt-in per request. - SSL errors silently suppressed only for malformed email-captured content (never for cloud sync).
- Auto-update payloads are signed (Developer ID on macOS, EV cert on Windows) and notarised.
Audit-friendly defaults
Read-only auditors can verify the file format with the VXENC1 magic header, decrypt with the OS keychain key, and parse the resulting JSON. The format is documented in VTX Binary Format.