Documentation Menu
Advanced Features

Security Architecture

Local-First Cryptographic Blueprint

CmdVault enforces local-first isolation. Credentials and recipes are secured inside an encrypted SQLiteCipher container database.

Warning: We do not store or recover master passwords. If you lose your master key, your local database files cannot be decrypted. Keep a secure physical backup.

E2EE Cloud Sync Mechanics

When sync triggers, recipes are packaged into individual payloads. Payload encryption utilizes AES-GCM-256 with a signature derived from your master credential. The server only sees encrypted JSON blobs and cryptographic signatures, preventing any leakage.