LocalKeysSecurity
LocalKeys is designed with security as the top priority. This page explains how your secrets are protected.
Encryption
Encryption at Rest
Your secrets are encrypted using:
- Algorithm: AES-256-GCM
- Key derivation: PBKDF2-SHA256
- Salt: 32 bytes
Key Derivation
Your master password is never stored. Instead, it is used to derive an encryption key:
Master Password
↓
PBKDF2-SHA256
↓
Encryption Key (256-bit)PBKDF2-SHA256 parameters:
- Iterations: 4,000,000
- Key length: 32 bytes (256-bit)
- Salt length: 32 bytes
Vault File
| Component | Encrypted |
|---|---|
| Secret keys | Encrypted |
| Secret values | Encrypted |
| Project names | Encrypted |
| Access logs | Encrypted |
| Metadata | Encrypted |
| Salt | No (required for decryption) |
Best Practices
Master Password
- Use at least 12 characters
- Include uppercase, lowercase, numbers, and symbols
- Consider using a passphrase (e.g., "correct-horse-battery-staple")
- Never share your master password
General Security
- Keep LocalKeys updated
- Back up your vault securely
- Lock when not in use
Warning
If you suspect your vault has been compromised, change all your secrets immediately and delete the existing vault folder (~/.localkeys) before creating a new vault with a new master password.
Threat Model
LocalKeys protects against:
- Malicious programs reading your secrets
- Accidental secret exposure in git
- Offline brute-force attacks
- Physical access to a locked vault
LocalKeys does NOT protect against:
- Keyloggers capturing your master password
- Full system compromise
- Physical access to an unlocked vault