Security

Understand Nokvault's security features and how they protect your data.

Encryption

Nokvault uses AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode) for authenticated encryption. This provides:

  • Confidentiality: Data is encrypted and cannot be read without the key
  • Integrity: Any tampering with encrypted files is detected
  • Authentication: Ensures data came from the original source

AES-256 is considered secure against current and foreseeable threats, including quantum computing attacks (with appropriate key sizes).

Key Derivation

Passwords are never used directly as encryption keys. Instead, Nokvault uses Argon2id for key derivation:

  • Resistant to GPU-based attacks
  • Configurable memory and time costs
  • Winner of the Password Hashing Competition
  • Protects against rainbow table attacks

Each file uses a unique salt, ensuring that even identical files produce different ciphertexts.

Memory Safety

Sensitive data is handled securely in memory:

  • Passwords and keys are zeroized from memory after use
  • Memory is cleared before being freed
  • Prevents sensitive data from remaining in RAM

Timing Attack Protection

Nokvault uses constant-time operations for:

  • Password comparison
  • Key verification
  • Authentication tag checking

This prevents attackers from learning information through timing analysis.

File Integrity

Every encrypted file includes an authentication tag that:

  • Detects any modification or corruption
  • Prevents tampering attacks
  • Ensures data hasn't been altered

If a file is tampered with, decryption will fail with an authentication error.

Random Number Generation

Nokvault uses cryptographically secure random number generation for:

  • Initialization vectors (IVs) for each file
  • Salt generation for key derivation
  • Key generation

Each encrypted file uses a unique, randomly generated IV, ensuring that identical plaintexts produce different ciphertexts.

Best Practices

For additional security, follow these recommendations:

  • Use keyfiles instead of passwords when possible
  • Store keyfiles securely and back them up
  • Rotate keys periodically
  • Use secure deletion for sensitive files
  • Never commit passwords or keyfiles to version control
  • Use environment variables for automation scripts
  • Keep Nokvault updated to the latest version

See the Best Practices page for detailed guidance.