Skip to content

Security and the vault

Your cloud credentials never leave your machine. They are sealed in a local vault with envelope encryption, and the app talks to your clouds directly using them.

The vault is a passphrase-sealed key identity. When you create the vault, CrossXCloud generates an RSA keypair. The public key is stored on disk in the clear. The private key is sealed under a passphrase you choose and held in memory only while the vault is unlocked.

This is why saving a credential works while the vault is locked (it only needs the public key to encrypt) but using a credential requires the vault to be unlocked (it needs the private key to decrypt).

There is no recovery path if you lose your passphrase. The private key cannot be unsealed, and the credentials sealed under it cannot be decrypted.

Each credential is encrypted with envelope encryption, which means the credential itself is encrypted with a fresh symmetric key, and that symmetric key is encrypted with your RSA keypair.

This gives you two properties that matter:

  • Each credential gets its own encryption key, so compromising one credential does not expose the others, beyond the shared vault keypair.
  • The symmetric key is fast and handles the full credential payload, while the RSA keypair only has to wrap the small symmetric key.

To decrypt a credential, the vault’s private key unwraps the symmetric key, and that symmetric key decrypts the credential. The private key never leaves the vault, and the vault only releases it while unlocked.

flowchart TD
    subgraph Encrypt
        direction LR
        cred[Credential] --> aes[AES-256-GCM]
        aes --> blob[Encrypted blob]
        aeskey[AES data key] --> aes
        aeskey --> rsa[RSA-OAEP wrap]
        rsa --> wrapped[Wrapped AES key]
    end

    subgraph Decrypt
        direction LR
        wrapped2[Wrapped AES key] --> rsa2[RSA private key unwrap]
        rsa2 --> aeskey2[AES data key]
        blob2[Encrypted blob] --> aes2[AES-256-GCM]
        aeskey2 --> aes2
        aes2 --> cred2[Credential]
    end
  • Your credentials are not sent to CrossXCloud, to CrossXWeb, or to any third party. The app talks to your clouds directly using them.
  • Your plaintext credential is never written to disk. Only the encrypted blob is.
  • The private key that can decrypt your credentials lives in memory only while the vault is unlocked, and is cleared on lock or process exit.
  • Telemetry does not see your credentials. Analytics runs on product events, not on credential payloads.