Qt Config Vault implements industry-standard security practices to protect your sensitive configuration data.

• Algorithm: AES-256-GCM (Galois/Counter Mode)

  • 256-bit key size (maximum AES security)
  • GCM mode provides both encryption and authentication
  • Prevents tampering and ensures data integrity

• Key Derivation: PBKDF2-HMAC-SHA256

  • 100,000 iterations (meets OWASP recommendations)
  • Random 16-byte salt per encryption
  • SHA-256 hash function
  • Protects against brute-force attacks

• Nonce Management

  • 12-byte random nonce per encryption
  • Ensures unique encryption for each operation
  • Prevents replay attacks

• Password Hashing: SHA-256

  • One-way hash function
  • Cannot be reversed to recover original password
  • Stored hash used for verification only

• Password Requirements

  • Minimum 8 characters (enforced)
  • No maximum length
  • Recommend: 12+ characters with mixed case, numbers, symbols

• No Password Recovery

  • By design, passwords cannot be recovered
  • Lost passwords = lost data (ensure secure backup)
  • This is a security feature, not a bug

• Encrypted Storage

  • All vault data encrypted at rest
  • No plaintext data on disk
  • Base64 encoding for text file storage

• Secret Masking

  • Secrets marked with is_secret=True are masked in UI
  • Displayed as •••••••• to prevent shoulder surfing
  • Full value available when editing

• Auto-Lock

  • 15-minute inactivity timer
  • Automatically locks vault to prevent unauthorized access
  • Requires password re-entry to unlock

• Secure Memory Handling

  • Passwords not stored in memory longer than necessary
  • Python garbage collection handles cleanup
  • No password caching

• Single Encrypted File

  • Default location: ~/.config_vault.json
  • Entire file is encrypted blob
  • Cannot be read without master password

• File Permissions

  • User should set restrictive permissions
  • Recommended: chmod 600 ~/.config_vault.json (Linux/Mac)
  • Prevents other users from reading the file

• Encrypted Exports

  • Profile exports use same encryption as vault
  • Encrypted with user's master password
  • Safe to transfer over insecure channels

• Plaintext Export Warning

  • Plaintext vault export shows clear warning
  • Intended for backup/debugging only
  • User must explicitly confirm

1. Strong Master Password

   • Use 12+ characters
   • Mix uppercase, lowercase, numbers, symbols
   • Avoid dictionary words
   • Don't reuse passwords from other services

2. Password Storage

   • Store master password in a reputable password manager
   • Don't write it down in plain text
   • Don't share it via email/chat

3. Backup Strategy

   • Regular encrypted exports
   • Store backups in secure locations
   • Test restore process periodically

4. System Security

   • Keep OS and Python up to date
   • Use full-disk encryption
   • Lock screen when away
   • Don't run as root/administrator

5. File Permissions

   • Set restrictive permissions on vault file
   • Linux/Mac: chmod 600 ~/.config_vault.json
   • Windows: Set NTFS permissions to restrict access

1. Dependencies

   • Use official cryptography library (industry standard)
   • Keep dependencies up to date
   • Monitor security advisories

2. Code Review

   • All encryption code should be reviewed
   • Follow OWASP guidelines
   • Don't implement custom crypto

3. Testing

   • Test encryption/decryption
   • Test wrong password rejection
   • Test data integrity

4. No Backdoors

   • No password recovery mechanisms
   • No hardcoded keys
   • No telemetry or phoning home

✅ Data at Rest Attacks

• Attacker has access to vault file but not password
• File encryption makes data unreadable

✅ Brute Force Attacks

• PBKDF2 with 100,000 iterations slows down attempts
• Strong password makes brute force impractical

✅ Tampering

• GCM authentication tag prevents data modification
• Modified data will fail decryption

✅ Shoulder Surfing

• Secret masking hides sensitive values
• Auto-lock protects when unattended

❌ Memory Attacks

• Decrypted data exists in memory when vault is unlocked
• Advanced attackers with memory access can read data

❌ Keyloggers

• Hardware/software keyloggers can capture password
• Use trusted systems only

❌ Screen Capture

• Screenshots can capture visible data
• Be aware of screen sharing/recording

❌ Physical Access

• Attacker with full system access can install backdoors
• Physical security is essential

❌ Weak Passwords

• Short/common passwords can be brute-forced
• Use strong, unique passwords

❌ Social Engineering

• Attacker tricking user into revealing password
• User awareness is critical

If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public GitHub issue
2. Email the maintainer directly (see repository profile)
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

We will acknowledge receipt within 48 hours and provide updates as we investigate.

• Security fixes are prioritized
• Critical vulnerabilities will be patched immediately
• Users will be notified via GitHub releases
• Keep your installation up to date

This software uses strong cryptography. Some countries restrict the import, export, or use of encryption software. Please check your local laws before using Qt Config Vault.

Qt Config Vault is provided "as is" without warranty of any kind. While we implement industry-standard security practices, no software is 100% secure. Use at your own risk and maintain proper backups.

• Last Internal Review: December 2025
• External Audit: Not yet performed
• Known Issues: None at time of writing

For production use of highly sensitive data, consider having the code professionally audited.

• OWASP Cryptographic Storage Cheat Sheet
• NIST Password Guidelines
• Python Cryptography Library
• AES-GCM Specification