Secure Vault — Help & User Guide

What Vault is for, how to use each part of the app, and what you need to know before trusting it with important passwords and files.

What is Vault?

Vault is a personal, browser-based secure storage tool. It runs entirely in your web browser. There is no remote account server and no vault data is sent over the internet when you save passwords or encrypt files — everything happens on your device.

Vault combines a password manager (store website logins, notes, and generated passwords) with standalone encryption tools (encrypt text, documents, or short messages with a password you choose).

What is it for?

Vault is intended for personal use. It has not been professionally audited. For enterprise-grade autofill across all apps, consider a dedicated password manager (Bitwarden, 1Password, etc.) and use Vault’s backup export if you need to migrate data.

How it works (no server)

When you unlock Vault with your master password, the app derives an encryption key using PBKDF2-SHA256 (25,000 iterations) and encrypts your data with AES-GCM 256-bit encryption. The encrypted blob is stored in your browser’s localStorage for this website address only.

Your master password is never stored. If you forget it, there is no recovery — the encrypted data cannot be decrypted without it.

Because storage is tied to this exact website URL, clearing browser data for this site, using a different browser, or using a private/incognito window without syncing will not show the same vault unless you import a backup.

Sign-in vs master password

Vault uses two security layers before you reach your saved entries:

Layer Purpose Stored?
Sign-in account (username + password you create) Opens the app for you on this browser — like a door on the tool itself. Each person picks their own username and password. Only one-way PBKDF2-SHA256 hashes are saved in this browser’s localStorage. Plaintext username and sign-in password are never stored and cannot be read back.
Master password Actually protects your vault entries and backups. Derives the AES encryption key. Never stored. You must remember it.
Important: The sign-in screen is a convenience gate on this device, not server authentication. Anyone with access to your unlocked browser could open Vault. Short sign-in passwords could also be guessed offline by someone who copies your browser storage. The master password is what keeps your real data safe — make it long and unique.

You create your own sign-in account the first time you use Vault on a browser. There are no shared or pre-set usernames. If you use Vault on another phone, computer, or browser, create an account there too (or import a backup after signing in).

Create your account

When you open Vault for the first time on a browser, you need a sign-in account before you can set up your encrypted vault.

  1. On the sign-in screen, click Create account.
  2. Choose a username (2–64 characters; letters, numbers, dots, dashes, and underscores only).
  3. Choose a password (at least 6 characters) and type it again to confirm.
  4. Click Create account. Vault stores only hashed versions of your username and password in this browser — not the plain text.
  5. You are taken to the Unlock vault screen to set your master password (see Quick start below).

Returning later on the same browser

Use Sign in with the same username and password you created. As long as this browser’s site data for Vault has not been cleared, your account and encrypted vault remain available.

Same person, different browser or device

Sign-in accounts do not sync across devices automatically. On a new browser you can either:

Username already taken? That name is already registered on this browser. Pick a different username, or sign in if it is yours.
No “forgot sign-in password”. If you forget the username or password you created, Vault cannot recover them — they are stored only as one-way hashes. You would need to create a new account on that browser and restore from a backup JSON if you have one (using the original master password, not the sign-in password).

Quick start

  1. Open index.html (or your live Vault URL) in a modern browser (Chrome, Firefox, Safari, or Edge).
  2. First visit on this browser: click Create account, choose a username and password, then confirm.
  3. Returning on this browser: Sign in with the username and password you created.
  4. On the Unlock vault screen:
    • First time: if no vault exists yet, set a strong master password (twice if prompted) and create the vault.
    • Returning: enter your existing master password and click Unlock.
    • Extra vault on same account: tick Create a new vault, enter a new master password twice, then create.
  5. Use the Vault tab to add your first entry with + New.
  6. Go to Backup and download a backup JSON file. Store it on your computer or phone — it is useless without your master password, but you will need both if you lose browser data or move to another device.

Vault tab — password entries

Your main password list. Each entry can hold:

Search

Type in the search box to filter entries by label, URL, username, or notes.

Password generator

Open Generator options to set length (4–128) and character sets (uppercase, lowercase, digits, symbols). Click Generate to fill the password field, then Save.

Edit or delete

Select an entry on the left to edit it. Save writes encrypted data to localStorage. Delete removes the entry after confirmation. Cancel discards unsaved changes.

Vault does not auto-fill passwords into other websites or apps. Copy the password and paste it where you need it.

Encrypt / Decrypt tab

A quick tool for encrypting or decrypting plain text with a password you type. Useful for short secrets that are not full vault entries.

Encrypt

  1. Enter a password.
  2. Paste or type plaintext.
  3. Click Encrypt. The result is a base64 blob you can copy and store or send.

Decrypt

  1. Enter the same password used to encrypt.
  2. Paste the encrypted blob.
  3. Click Decrypt to recover the original text.

This tab uses the vault’s standard single-round encryption. For multi-round document encryption, use the Documents tab.

Documents tab

A fuller encryption workspace with two modes, selected from the Mode dropdown.

Mode: Encrypt / Decrypt Document

Encrypt or decrypt whole files: Word (.doc, .docx), PDF, ODT, or TXT.

  1. Choose a file (Browse or drag-and-drop onto the drop zone).
  2. Enter a password.
  3. Set Count (encryption rounds, 1–20; default 5). Higher counts take longer but add more layers.
  4. Encrypt & Download saves one encrypted file. The original filename and type are preserved inside the encrypted package — the download name may not match the original.
  5. To recover: select the encrypted file on the Decrypt side, enter the same password and Count, then Decrypt & Download Original.

Mode: Send / Receive Encrypted Message

Encrypt short messages for email or chat. The Encrypt panel turns your message into a single encrypted string; the Decrypt panel reverses it.

Count must match. If encryption used Count 5, decryption must also use 5. The encrypted file or message exposes only the round count externally; filename and file type stay hidden inside the ciphertext until decrypted.

Backup tab

Export (Download backup)

Downloads the currently unlocked vault as a JSON file. The file contains only encrypted data — it is unreadable without the master password that was used when that vault was created.

Keep backups in a safe place (encrypted disk, password-protected archive, or offline storage).

Import

Choose a previously exported .json backup and click Import. This replaces the currently unlocked vault with the backup’s contents. Other vaults stored in the same browser are not affected.

After import, you will need the master password from when that backup was made the next time you unlock.

Settings tab

Change master password

Re-encrypts the entire vault with a new master password. You must enter:

After a successful change, use the new password to unlock and make a fresh backup.

Lock, sign out & auto-lock

Multiple accounts and vaults on one browser

You can have more than one person using Vault on the same computer, each with their own sign-in account. Each account keeps its own encrypted vault data separate in localStorage.

Multiple sign-in accounts

Multiple encrypted vaults (same account)

One signed-in user can also keep more than one independent encrypted vault (e.g. “work” and “personal”), each with its own master password:

Without the correct master password, an attacker cannot tell how many vaults exist or who they belong to — only that encrypted blobs are present.

Install on phone (PWA)

On a live HTTPS site, Vault can be installed as a Progressive Web App and works offline after the first visit (thanks to the service worker).

iPhone (Safari)

  1. Open the Vault URL in Safari.
  2. Tap ShareAdd to Home ScreenAdd.

Android (Chrome)

  1. Open the Vault URL in Chrome.
  2. Tap the menu (⋮) → Install app or Add to Home screen.
iOS limitation: A home-screen PWA cannot act as system-wide password autofill in Safari or other apps. Open Vault, copy the password, then paste it where needed.

Security & limitations

Remember your master password. There is no “forgot password” flow. Lose the password and lose access to the vault and any backups encrypted with it.

Troubleshooting

“Wrong master password” but I’m sure it’s correct

Decrypt failed / wrong password on a document or message

Vault empty after browser update or on a new device

Data lives in this browser’s storage for this site URL. Import your JSON backup and unlock with the correct master password.

Service worker / offline not working

Offline install requires HTTPS (or localhost). Opening files directly from disk (file://) skips the service worker by design.

Sign-in not accepted

Forgot sign-in password but have a backup

Create a new account on this browser, then use Backup → Import after you unlock with the master password from when the backup was made. The sign-in password and master password are separate — restoring data depends on the master password, not the sign-in password.