Backend: FastAPI, PostgreSQL, MinIO (S3-compatible storage), Elasticsearch
Frontend: React + TypeScript
Infrastructure: Docker Compose
- JWT authentication - Tokens expire after 15 minutes, proper validation
- AES-256-GCM encryption - Each document gets its own encryption key
- Brute force protection - Account locks after 5 failed logins
- Audit logging - Everything gets logged to Elasticsearch with timestamps
- SHA-256 checksums - File integrity verification
- RBAC - Role-based permissions (though it's just me using it)
- Security headers - XSS protection, CSP, HSTS, etc.
docker-compose up -dThen go to http://localhost:3000
The database, storage, and logging all persist in Docker volumes so your data sticks around.
Demo credentials:
Email: demo@securevault.io
Password: Demo123!
When you upload a file:
- Generate a random 256-bit key for this specific document
- Encrypt the file with AES-256-GCM using that key
- Store the encrypted file in MinIO
- Save the encryption key in the database (would use AWS KMS in production)
- Calculate SHA-256 checksum for integrity verification
When you download:
- Fetch the encryption key from the database
- Download encrypted file from MinIO
- Decrypt with the key
- Verify checksum matches
- Encryption keys are stored in PostgreSQL instead of a proper HSM/KMS
- No real user registration flow (just the demo account)
- File size limit is whatever MinIO allows by default
- Audit logs don't have retention policies set up
- No email notifications for security alerts
Note: This README is still a work in progress.