Docs Getting Started Security & Encryption

Security & Encryption

VortexHQ uses AES-256-GCM encryption, OS keychain storage, and sandboxed execution to keep your data safe.

Local-First Security

VortexHQ is a local-first application. All your data — emails, SSH hosts, FTP hosts, SQL connections, API clusters, tasks, snippets, and settings — is stored on your machine by default. Nothing is sent to the cloud unless you explicitly enable cloud sync.

Encryption at Rest

Sensitive data is encrypted using AES-256-GCM — the same standard used by banks and governments:

  • Passwords & tokens — SSH passwords, FTP credentials, SQL passwords, and API keys are encrypted before storage
  • Vault files — Exported .mpvault (SSH), .vxdb (SQL/FTP), and .vtx (API) files are passphrase-protected with AES-256-GCM
  • Tasks & todos — Stored in encrypted JSON files (~/.vortex/todos.json)
  • AI config — Provider API keys are base64-encoded in encrypted config

OS Keychain Integration

Auth tokens and encryption keys are stored in your operating system's secure keychain via Electron safeStorage:

PlatformKeychain
macOSKeychain Access (libsecret)
WindowsDPAPI (Data Protection API)
Linuxlibsecret / GNOME Keyring

No plaintext token fallback is used. If the keychain is unavailable, VortexHQ will prompt for re-authentication.

Nexus Vault Encryption

When sharing servers via an Infrastructure Nexus, credentials are encrypted end-to-end with a vault key:

  • Each nexus has its own vault key, shared securely between members
  • Vault-locked servers show a 🔒 lock icon and require decryption before use
  • Server credentials are never stored in plaintext on the cloud

Sandboxed Execution

  • Email HTML preview — Rendered in a sandboxed iframe with external link interception and no script execution
  • API response preview — HTML responses are sandboxed with a restrictive CSP
  • Scripts — Pre-request and test scripts run in a sandboxed new Function() environment with limited globals
  • Path traversal protection — FTP file operations validate paths to prevent directory traversal attacks

Per-User Data Isolation

Each user profile has its own isolated data directory. Signing in migrates data to a user-specific path; signing out clears the active user data and restores defaults. This prevents data leakage between accounts on shared machines.

Telemetry

VortexHQ includes optional anonymous telemetry for crash reporting and feature usage analytics:

  • Fully opt-in/opt-out from Settings
  • Anonymous session ID (no personal information)
  • Payload sanitization removes any sensitive data before transmission
  • Queue-based with batched flushing
Keyboard Shortcuts Settings & Customization

Last updated 2 hours ago