Security and the vault
Your cloud credentials never leave your machine. They are sealed in a local vault with envelope encryption, and the app talks to your clouds directly using them.
The vault is a key identity
Section titled “The vault is a key identity”The vault is a passphrase-sealed key identity. When you create the vault, CrossXCloud generates an RSA keypair. The public key is stored on disk in the clear. The private key is sealed under a passphrase you choose and held in memory only while the vault is unlocked.
This is why saving a credential works while the vault is locked (it only needs the public key to encrypt) but using a credential requires the vault to be unlocked (it needs the private key to decrypt).
There is no recovery path if you lose your passphrase. The private key cannot be unsealed, and the credentials sealed under it cannot be decrypted.
Envelope encryption
Section titled “Envelope encryption”Each credential is encrypted with envelope encryption, which means the credential itself is encrypted with a fresh symmetric key, and that symmetric key is encrypted with your RSA keypair.
This gives you two properties that matter:
- Each credential gets its own encryption key, so compromising one credential does not expose the others, beyond the shared vault keypair.
- The symmetric key is fast and handles the full credential payload, while the RSA keypair only has to wrap the small symmetric key.
To decrypt a credential, the vault’s private key unwraps the symmetric key, and that symmetric key decrypts the credential. The private key never leaves the vault, and the vault only releases it while unlocked.
flowchart TD
subgraph Encrypt
direction LR
cred[Credential] --> aes[AES-256-GCM]
aes --> blob[Encrypted blob]
aeskey[AES data key] --> aes
aeskey --> rsa[RSA-OAEP wrap]
rsa --> wrapped[Wrapped AES key]
end
subgraph Decrypt
direction LR
wrapped2[Wrapped AES key] --> rsa2[RSA private key unwrap]
rsa2 --> aeskey2[AES data key]
blob2[Encrypted blob] --> aes2[AES-256-GCM]
aeskey2 --> aes2
aes2 --> cred2[Credential]
end
What this means in practice
Section titled “What this means in practice”- Your credentials are not sent to CrossXCloud, to CrossXWeb, or to any third party. The app talks to your clouds directly using them.
- Your plaintext credential is never written to disk. Only the encrypted blob is.
- The private key that can decrypt your credentials lives in memory only while the vault is unlocked, and is cleared on lock or process exit.
- Telemetry does not see your credentials. Analytics runs on product events, not on credential payloads.
What you are responsible for
Section titled “What you are responsible for”- Credentials and the vault for unlocking, adding, and rotating credentials.
- Connect a provider for the new-user walkthrough.
- Desktop and web for what is and is not sent between the two surfaces.