Stealth Vault
Stealth Vault is a unified secure storage system that combines a full-featured Password Manager and an encrypted File Vault in a single application. Both share one master password and the same AES-256-GCM encryption pipeline, so unlocking one unlocks the other.
Security Model
| Encryption | AES-256-GCM with authentication tag protection |
| Key derivation | PBKDF2-SHA256, 600,000 iterations, 32-byte salt |
| Master password | Never stored - derived key unlocks the vault in memory only |
| Storage | Local only, under %AppData%\Roaming\VPNClient |
| No-Password mode | Optional convenience mode using a fixed internal key |
No password recovery. Because your master password is never stored, there is no way to recover a forgotten one. The Forgot Password flow walks you through wiping the vault and starting fresh - this is the only path forward if access is lost.
Setting Up Your Vault
On first run, a 3-step setup wizard guides you through creating your vault:
- Choose Encrypted (master password, minimum 8 characters) or No Password mode
- Enter and confirm your master password - a real-time strength meter shows progress
- Vault is created and ready to use
Already have a vault file from another device? Use Import Vault on the unlock screen instead of creating a new one.
Password Manager
The password manager stores credentials, cards, notes and more in a single encrypted file: password-vault.encrypted (AES-256-GCM with a 16-byte IV).
Entry Types
| Login | Username, password, URL, notes - with auto-loaded site favicon |
| Credit Card | Card number, expiry, CVV, cardholder, billing notes |
| Secure Note | Free-form encrypted text for recovery codes, license keys, anything sensitive |
| Identity | Personal details, addresses, phone numbers |
| Bank Account | Routing, account numbers, institution details |
| API Key | Tokens, secret keys, environment notes |
| Custom | User-defined categories with a custom Font Awesome icon and your own fields |
Organizing Entries
- Nested folders for hierarchical organization
- Sidebar categories: All, Favorites, plus every built-in and custom type
- Bulk select for moving or deleting many entries at once
- Sort by name or last modified date
- Search across every entry, all fields
- Per-entry color accent and custom icon (image, stored as data URL)
- Login favicons auto-load via multi-source fallback (Google s2, parent domain, DuckDuckGo, icon.horse, GitHub) with a globe fallback
Views
Switch between List, Card, and Compact views from the toolbar. The detail pane is resizable and the sidebar is collapsible to maximize working space.
Password Generator
Available inline next to any password field and as a standalone window:
- Length 8 to 64 characters
- Toggle uppercase, lowercase, numbers, symbols
- Exclude similar-looking characters (
i,l,1,L,o,0,O) - Exclude ambiguous punctuation
- Built on cryptographically secure
crypto.randomBytes
Password Strength
A real-time strength meter with a numeric score and written feedback appears in setup, change-password, and login flows so you always know how strong a password is before you commit it.
Clipboard Behavior
- Copy username or password from the list, the detail pane, or the right-click context menu
- Auto-clear clipboard after a configurable number of seconds (set to 0 to disable)
Auto-Lock
The vault automatically locks after a configurable period of inactivity (in minutes). Mouse, key, and scroll activity reset the timer so you are not interrupted while actively working.
Auto-Login Browser
Stealth Vault includes a built-in Auto-Login Browser - a frameless window that loads a website inside an isolated webview session and automatically fills the username and password fields for the selected entry.
Vault settings (gear icon)
Open Settings from the vault toolbar. The modal has five tabs; click Save Settings at the bottom to apply changes.
Security
- Require Master Password - When on, the vault stays encrypted with your master password. When off, data is stored with a fixed internal key (convenience only, not for sensitive use).
- Auto-lock Timeout - Minutes of inactivity before the vault locks (separate from Windows idle; see Advanced Security).
- Change Master Password - Opens the change-password flow (re-encrypts password vault and file vault).
- Clear Clipboard - Seconds before copied passwords are cleared from the clipboard (0 = never auto-clear).
Appearance
- Show passwords by default - When enabled, password fields in entry details start visible instead of masked.
Sync
- Connect Google Drive - OAuth with limited
drive.filescope; avatar and last-sync time show when connected. - Sync Now / Disconnect - Manual push or sign out of Drive.
- Automatically backup to Google Drive - Uploads after each save when enabled.
Vault
- Export Vault - Download a local copy of the encrypted vault.
- Import from Chrome - Import a Chrome-exported CSV with duplicate handling (Update all vs Update new + changed only).
- Delete Vault - Permanently removes the vault (Danger Zone).
Advanced Security
- Bind vault to this device (DPAPI / safeStorage) - Mixes the vault key with a machine-bound secret. A stolen vault file plus your master password is not enough to unlock on another PC. Turning this on or off triggers a full vault re-encryption; keep your master password ready.
- Use a per-unlock subkey for in-memory caches - Derives a fresh HKDF subkey each unlock for session data (for example thumbnails and secrets held in RAM). The subkey is wiped on lock and is not written to disk.
- Lock vault when the system is idle - Uses Windows idle time. Set an Idle threshold (minutes). Works alongside the in-app auto-lock timer.
- File Access Audit Log - Optional append-only encrypted JSONL log of unlock, read, open, export, and delete events for both password and file vaults. View Recent Events and Clear Log are on the same row.
- Recovery Code - Generate a one-time-shown 24-character Crockford-base32 code that can recover access if you forget the master password, or remove it. Store the code offline.
- Key Rotation - Rotate Vault Keys Now re-encrypts the entire password and file vault with fresh salts and IVs. Status shows last rotation; periodic rotation (for example every 90 days) is recommended.
Google Drive Sync
- OAuth with the
drive.filescope - Stealth only sees files it created - Creates and uses a
Stealthfolder inside your Drive - Backs up the password vault as
stealth-password-vault.json - Auto-uploads after every save when Automatically backup to Google Drive is enabled
- Sync merges remote entries by ID - missing entries are added, existing entries are never silently overwritten
Forgot Password
The Forgot Password flow opens a multi-step modal that explains in plain language that there is no recovery. If you really cannot regain access, the same screen lets you wipe the vault and start fresh.
File Vault
The File Vault is encrypted personal storage that lives alongside the password manager. It handles images, video, audio, PDFs, text files, and any other file type you want to keep private.
| Master password | Same as the password manager - unlock once, both unlock |
| File payloads | %AppData%\Roaming\VPNClient\file-vault\files\*.enc |
| Image thumbnails | Encrypted separately at ...\file-vault\thumbs\*.enc |
| Index | index.encrypted - tracks folders, metadata, pins, colors |
Adding Files
- Add Files button - multi-select dialog
- Drag and drop files directly from Windows Explorer onto the vault window. A non-elevated helper window handles the drop so it works even when Stealth is running under UAC elevation
- Paste images or files from the clipboard with
Ctrl+V - A drop-zone overlay appears whenever files are dragged over the window
Organization
- Nested folders with breadcrumb navigation
- Sidebar shortcuts: All Files and Recent (last 7 days)
- Per-file color accent from a preset palette or a custom color
- Pin to top - pinned files always sort first
- Optional global blur preview toggle that blurs every thumbnail in the grid for privacy in public spaces
File Actions
Right-click any file for the full context menu:
| Preview | In-app modal supporting image, video, audio, PDF, and text |
| Open with default app | Decrypts to a temporary location and auto-deletes after 10 minutes |
| Export | Save As - decrypts to a path you choose |
| Rename / Duplicate / Move | Standard file operations within the vault |
| Set color / Pin | Change the accent or pin to the top of the list |
| Copy filename | Copies the original filename to the clipboard |
| Copy contents | Images go to the clipboard as images, text as text |
| Properties | Size, type, dates, location |
| Delete | Permanently remove the file and its thumbnail |
Thumbnails
Image thumbnails are generated automatically (max 256px, JPEG quality 70) and encrypted with the same key as the file itself. They live in a dedicated thumbs folder so the grid loads quickly without decrypting full files.
Google Drive Backup
The manual Sync button bundles the entire vault - full index, every file ciphertext, every thumbnail ciphertext - and uploads it to your Stealth Google Drive folder as stealth-file-vault.encrypted.json.
Re-encryption on Master Password Change
When you change your master password, both the password vault and every file in the file vault are re-encrypted with the new derived key automatically. Nothing on disk remains accessible to the old password.
Best Practices
Strong master password. A long passphrase like correct horse battery staple is more secure and easier to remember than P@ssw0rd!.
Back up to Google Drive. Enable automatic backup so your vault survives device loss. Backups are encrypted before they leave your machine.
Lock when away. The vault auto-locks on inactivity - don't disable this if you share a workspace.
Unique passwords everywhere. The password manager makes this manageable. Use the generator to create one for every new account.
Encrypted mode for sensitive data. No-Password mode is fine for low-risk convenience, but anything you really care about belongs behind a master password.