Vault & Encryption
KoreShell stores all sensitive data — passwords, SSH keys, API keys — in a local encrypted vault. Nothing is ever uploaded to a server or third party.
How the Vault Works
Every sensitive field is encrypted with AES-256-GCM before being written to the local SQLite database.
User data (password, key, etc.)
↓
AES-256-GCM encryption
↓
Encrypted blob → stored in koreshell.db
The master key that encrypts vault data is itself protected by the OS secure enclave:
- macOS: stored in the system Keychain (
io.koreshell.vault) - Windows: protected with Windows DPAPI, stored in the app data directory
- Linux: stored in the Secret Service (GNOME Keyring / KWallet) or a file with
600permissions
What's in the Vault
| Data | Encrypted? |
|---|---|
| Server passwords | Yes — AES-256-GCM |
| SSH private keys | Yes — AES-256-GCM |
| SSH key passphrases | Yes — AES-256-GCM |
| AI provider API keys | Yes — AES-256-GCM |
| rclone remote configs | Yes — AES-256-GCM |
| Script secret variables | Yes — AES-256-GCM |
| Server hostnames, usernames | No — non-sensitive metadata |
| App settings | No |
Session-Only Credentials
When Remember password is off for a server, the password is:
- Prompted at connect time
- Used for the SSH handshake
- Immediately discarded — never written to the vault or database
Key Rotation
To rotate the vault master key:
- Settings → Security → Rotate Vault Key
- KoreShell decrypts all vault data with the old key and re-encrypts with a new one
- The new master key is saved to the OS keychain
Rotation takes a few seconds and happens entirely locally.
Backup & Recovery
The vault is stored inside the app data directory in koreshell.db. Back up this file to preserve all vault data.
A backup of koreshell.db without the corresponding vault master key from the OS keychain is unreadable. Back up both, or use Settings → Export Vault to get an encrypted export that bundles the key material.
Database Encryption
The SQLite database itself is encrypted at the file level using SQLCipher (AES-256 CBC). The database password is derived from the vault master key, so even raw file access yields no plaintext data.
Memory Safety
After completing an SSH handshake, private key data is zeroed from memory using Rust's zeroize crate. This prevents key material from lingering in RAM or appearing in crash dumps.
Threat Model Summary
| Threat | Mitigated by |
|---|---|
| Disk theft / file copy | SQLCipher DB encryption + vault AES-256-GCM |
| Memory scraping | zeroize on key material post-handshake |
| Network interception | Credentials never leave the device |
| Malicious app reading keychain | OS Keychain ACL — only KoreShell can read its entry |
| Brute-force vault key | OS Keychain rate-limiting + AES-256 key space |