Vault Feature Tour

Vault focuses on practical, modern security features that work completely offline. Each capability below is available today and covered by tests in the repository.

Core security

Biometric + passphrase unlock

• Uses Android BiometricPrompt to require fingerprint, face, or device credential on every unlock.
• Optional master passphrase that is strengthened with Argon2id for memory-hard resistance against brute force.

Hardware-backed key storage

• Secrets are encrypted with AES-GCM.
• Data Encryption Key (DEK) is wrapped by the Android Keystore with user authentication requirements.
• Optional second factor using your master passphrase.

Auto-wipe and lockout

• Configurable failed-attempt counter.
• Automatically wipes the encrypted vault after repeated failed unlocks to protect against physical attacks.

Data lifecycle

Offline backups and restores

• Uses Android’s Storage Access Framework (SAF) to let you pick any storage location.
• Backup files are encrypted blobs; only you can decrypt them with the backup passphrase.
• Restore flow merges or replaces entries with conflict safeguards.

Password generation

• Built-in generator using SecureRandom with custom length, symbol set, and entropy display.

Bluetooth HID typing

• Foreground service that emulates a Bluetooth keyboard.
• Types credentials into a paired device without ever touching the clipboard.
• Designed for kiosks or locked-down systems where clipboard use is risky.

User experience

Compose UI

• Modern Material 3 interface built with Jetpack Compose.
• Dark theme, accessibility labels, and large touch targets by default.

Quick search and categorization

• Filter credentials by name, tag, or usage.
• Bookmark frequent entries for rapid access.

Root detection and integrity checks

• Refuses to run on rooted or tampered devices.
• Integrates with SafetyNet/Play Integrity when available.

Developer & maintainer tooling

Automated release pipeline

• GitHub Actions workflow builds signed APK/AAB artifacts when you push a version tag (v*).
• Uploads binaries to Releases and retains workflow artifacts for auditing.

Local release scripts

• scripts/prepare_release.sh assembles production builds, runs tests, and collects artifacts.
• scripts/create_keystore.sh generates signing keys, passwords, base64 payload, and can push GitHub secrets.

Documentation-first

• Detailed architecture and testing guides live in the repository (docs/ARCHITECTURE.md, docs/TESTING.md).

---

👉 Next: Learn what you need to do as a Vault operator on the site home page, or jump to the User Manual for task-level walkthroughs.