Advanced Features
Security Architecture
Local-First Cryptographic Blueprint
CmdVault enforces local-first isolation. Credentials and recipes are secured inside an encrypted SQLiteCipher container database.
Warning: We do not store or recover master passwords. If you lose your master key, your local database files cannot be decrypted. Keep a secure physical backup.
E2EE Cloud Sync Mechanics
When sync triggers, recipes are packaged into individual payloads. Payload encryption utilizes AES-GCM-256 with a signature derived from your master credential. The server only sees encrypted JSON blobs and cryptographic signatures, preventing any leakage.