Technical overview of how Keyquorum Vault protects your data using Argon2id, AES-GCM, Ed25519, and optional YubiKey hardware support.
These examples are taken from the real implementation. Cosmetic edits were made (removed paths, UI code, threading, logs) to avoid increasing attack surface.
The cryptography, parameters and logic are unchanged.
When you log in, Keyquorum Vault never stores your password. Instead, it combines your password with a per-user random salt and runs it through <strong>Argon2id</strong>, a modern memory-hard password hashing function. This process intentionally uses a large amount of RAM and CPU, making brute-force attacks much more expensive for attackers. The output of Argon2id is a 32-byte <strong>master key</strong>. That master key is then used to encrypt and decrypt your vault using AES-256-GCM.
Your password never lives on disk. On login, we mix your password with a unique random value (salt) and put it through a very heavy, slow function called Argon2id. This is deliberately expensive for attackers. The result is a strong master key that unlocks your vault. If someone steals your vault file, they still have to fight this Argon2id step, which is designed to make bulk password guessing painful and slow.
Your vault entries (logins, notes, card data, etc.) are stored as JSON in-memory and then encrypted using <strong>AES-256-GCM</strong> with your master key. The data written to disk is just a random-looking blob of bytes, not readable text.
When you open the app, the vault file is read from disk, decrypted with your master key back into JSON in memory, and then used inside the app. Any changes you make are re-encrypted before being saved again.
The vault file on disk is always encrypted. If you open it in a text editor, you won’t see passwords – only random bytes. The app decrypts the file into memory when you log in, and re-encrypts it when you save changes. The unencrypted version of your vault never gets written to disk.
Keyquorum Vault keeps decrypted data only in memory while you are logged in.
On logout, it performs a best-effort scrub of sensitive values in RAM.
This means overwriting buffers in-place and walking through internal data structures to remove passwords, keys, and other secrets from the application’s own memory.
This does not magically erase every copy the operating system or hardware might keep - but it does ensure the application itself does not keep decrypted values around longer than necessary.
When you click “Logout,” the app doesn’t just hide the screen — it actively wipes out the important bits from its own memory. It overwrites key buffers, walks through vault data looking for fields like “password”, “secret” or “token”, and clears them. It also clears the master key and the current password. This reduces the amount of sensitive data left sitting in RAM after you stop using the app.
Keyquorum Vault can use a YubiKey in two main ways: Gate mode and Wrap mode. Both modes require a physical YubiKey, but they work slightly differently.
In Gate mode, your password still derives the master key as normal using Argon2id. The YubiKey is then used as an extra check. Keyquorum sends a challenge to the YubiKey (via HMAC-SHA1), and expects a specific response. If the response does not match, login is blocked – even if the password is correct.
Think of Gate mode as a second lock on the door. Your password is the first lock. The YubiKey is the second lock. If the key is not present (or the wrong key is used), the app refuses to log in, even if someone knows your password.
In Wrap mode, the YubiKey is used together with your password to protect the master key itself. The app asks the YubiKey for an HMAC response, mixes that with a tag derived from the master key, and uses HKDF-SHA256 to create a Key Encryption Key (KEK). This KEK then encrypts (wraps) the master key using AES-GCM. Only the wrapped version and some non-secret metadata are stored.
On login, the process is repeated. If either the password or the YubiKey is missing, unwrapping the stored master key fails.
Wrap mode ties your vault to two things at once: your password and your YubiKey. The real master key is locked inside a small encrypted package. That package can only be opened if you have both the correct password and the correct YubiKey. Stealing just the vault file, or just the YubiKey, is not enough.
Keyquorum Vault supports Time-based One-Time Passwords (TOTP) as an optional second factor. The TOTP secret is stored encrypted in the vault with AES-256-GCM using the same master key. Backup codes are generated once, shown to the user, and only the hashed versions are stored.
2FA makes login much harder to break. Even if someone knows your password, they still need the code from your authenticator app or a backup code. Backup codes are like spare keys – you keep them safe in case your phone is lost. We never store backup codes or TOTP secrets in plain text.
Keyquorum Vault allows exporting the vault to a backup file, but the exported file is encrypted using a password chosen by the user. The export password is turned into a key using a KDF, and then AES-256-GCM encrypts the vault data.
If you make a backup, it is not a plain text file that anyone can open. The backup is itself encrypted. To restore it, you need the export password. If someone copies your backup file, they cannot read it without the password.
Keyquorum Vault uses Ed25519 signatures to verify that important files have not been tampered with. A signed manifest is created during build time. When the app runs, it checks that the files still match the signature.
This is like putting a wax seal on the files. If malware swaps or edits them, the signature breaks, and the app warns the user. This protects against silent modification of binaries or vault files.
When a password is copied, Keyquorum Vault sets a timer. After a few seconds, the clipboard is cleared automatically. The app can also warn if Windows clipboard history or cloud sync is enabled.
Passwords should not stay in your clipboard forever. If you copy a password, the app wipes it after a short time, so that other applications cannot read it later.
