Stealth Vault
Stealth Vault is a unified secure storage system that combines a full-featured Password Manager and an encrypted File Vault in a single application. Both share one master password and the same AES-256-GCM encryption pipeline, so unlocking one unlocks the other.
Security Model
| Encryption | AES-256-GCM with authentication tag protection |
| Key derivation | PBKDF2-SHA256, 100,000 iterations, 32-byte salt |
| Master password | Never stored - derived key unlocks the vault in memory only |
| Storage | Local only, under %AppData%\Roaming\VPNClient |
| No-Password mode | Optional convenience mode using a fixed internal key |
No password recovery. Because your master password is never stored, there is no way to recover a forgotten one. The Forgot Password flow walks you through wiping the vault and starting fresh - this is the only path forward if access is lost.
Setting Up Your Vault
On first run, a 3-step setup wizard guides you through creating your vault:
- Choose Encrypted (master password, minimum 8 characters) or No Password mode
- Enter and confirm your master password - a real-time strength meter shows progress
- Vault is created and ready to use
Already have a vault file from another device? Use Import Vault on the unlock screen instead of creating a new one.
Password Manager
The password manager stores credentials, cards, notes and more in a single encrypted file: password-vault.encrypted (AES-256-GCM with a 16-byte IV).
Entry Types
| Login | Username, password, URL, notes - with auto-loaded site favicon |
| Credit Card | Card number, expiry, CVV, cardholder, billing notes |
| Secure Note | Free-form encrypted text for recovery codes, license keys, anything sensitive |
| Identity | Personal details, addresses, phone numbers |
| Bank Account | Routing, account numbers, institution details |
| API Key | Tokens, secret keys, environment notes |
| Custom | User-defined categories with a custom Font Awesome icon and your own fields |
Organizing Entries
- Nested folders for hierarchical organization
- Sidebar categories: All, Favorites, plus every built-in and custom type
- Bulk select for moving or deleting many entries at once
- Sort by name or last modified date
- Search across every entry, all fields
- Per-entry color accent and custom icon (image, stored as data URL)
- Login favicons auto-load via multi-source fallback (Google s2, parent domain, DuckDuckGo, icon.horse, GitHub) with a globe fallback
Views
Switch between List, Card, and Compact views from the toolbar. The detail pane is resizable and the sidebar is collapsible to maximize working space.
Password Generator
Available inline next to any password field and as a standalone window:
- Length 8 to 64 characters
- Toggle uppercase, lowercase, numbers, symbols
- Exclude similar-looking characters (
i,l,1,L,o,0,O) - Exclude ambiguous punctuation
- Built on cryptographically secure
crypto.randomBytes
Password Strength
A real-time strength meter with a numeric score and written feedback appears in setup, change-password, and login flows so you always know how strong a password is before you commit it.
Clipboard Behavior
- Copy username or password from the list, the detail pane, or the right-click context menu
- Auto-clear clipboard after a configurable number of seconds (set to 0 to disable)
Auto-Lock
The vault automatically locks after a configurable period of inactivity (in minutes). Mouse, key, and scroll activity reset the timer so you are not interrupted while actively working.
Auto-Login Browser
Stealth Vault includes a built-in Auto-Login Browser - a frameless window that loads a website inside an isolated webview session and automatically fills the username and password fields for the selected entry.
Settings
Security tab. Master password toggle, auto-lock minutes, change master password.
Appearance tab. Show passwords by default in entry details, window opacity.
Sync tab. Connect or disconnect Google Drive, manual sync now, automatic backup on every change.
Vault tab. Export JSON backup, import Chrome password CSV (with duplicate handling - Update all vs Update new + changed only), delete vault.
Google Drive Sync
- OAuth with the
drive.filescope - Stealth only sees files it created - Creates and uses a
Stealthfolder inside your Drive - Backs up the password vault as
stealth-password-vault.json - Auto-uploads after every save when Automatically backup to Google Drive is enabled
- Sync merges remote entries by ID - missing entries are added, existing entries are never silently overwritten
Forgot Password
The Forgot Password flow opens a multi-step modal that explains in plain language that there is no recovery. If you really cannot regain access, the same screen lets you wipe the vault and start fresh.
File Vault
The File Vault is encrypted personal storage that lives alongside the password manager. It handles images, video, audio, PDFs, text files, and any other file type you want to keep private.
| Master password | Same as the password manager - unlock once, both unlock |
| File payloads | %AppData%\Roaming\VPNClient\file-vault\files\*.enc |
| Image thumbnails | Encrypted separately at ...\file-vault\thumbs\*.enc |
| Index | index.encrypted - tracks folders, metadata, pins, colors |
Adding Files
- Add Files button - multi-select dialog
- Drag and drop files directly from Windows Explorer onto the vault window. A non-elevated helper window handles the drop so it works even when Stealth is running under UAC elevation
- Paste images or files from the clipboard with
Ctrl+V - A drop-zone overlay appears whenever files are dragged over the window
Organization
- Nested folders with breadcrumb navigation
- Sidebar shortcuts: All Files and Recent (last 7 days)
- Per-file color accent from a preset palette or a custom color
- Pin to top - pinned files always sort first
- Optional global blur preview toggle that blurs every thumbnail in the grid for privacy in public spaces
File Actions
Right-click any file for the full context menu:
| Preview | In-app modal supporting image, video, audio, PDF, and text |
| Open with default app | Decrypts to a temporary location and auto-deletes after 10 minutes |
| Export | Save As - decrypts to a path you choose |
| Rename / Duplicate / Move | Standard file operations within the vault |
| Set color / Pin | Change the accent or pin to the top of the list |
| Copy filename | Copies the original filename to the clipboard |
| Copy contents | Images go to the clipboard as images, text as text |
| Properties | Size, type, dates, location |
| Delete | Permanently remove the file and its thumbnail |
Thumbnails
Image thumbnails are generated automatically (max 256px, JPEG quality 70) and encrypted with the same key as the file itself. They live in a dedicated thumbs folder so the grid loads quickly without decrypting full files.
Google Drive Backup
The manual Sync button bundles the entire vault - full index, every file ciphertext, every thumbnail ciphertext - and uploads it to your Stealth Google Drive folder as stealth-file-vault.encrypted.json.
Re-encryption on Master Password Change
When you change your master password, both the password vault and every file in the file vault are re-encrypted with the new derived key automatically. Nothing on disk remains accessible to the old password.
Best Practices
Strong master password. A long passphrase like correct horse battery staple is more secure and easier to remember than P@ssw0rd!.
Back up to Google Drive. Enable automatic backup so your vault survives device loss. Backups are encrypted before they leave your machine.
Lock when away. The vault auto-locks on inactivity - don't disable this if you share a workspace.
Unique passwords everywhere. The password manager makes this manageable. Use the generator to create one for every new account.
Encrypted mode for sensitive data. No-Password mode is fine for low-risk convenience, but anything you really care about belongs behind a master password.