Bóveda means Security through Isolation. We prioritize network-isolated security and practice digital transparency.
- Process Isolation: The user interface is always isolated from the engine (
boveda-core), and all sensitive operations occur within the engine via a typed, audited IPC (Inter-Process Communication) bridge. - Digital Sovereignty: There is no "cloud by default." Your data belongs to you, resides exclusively on your system, and you are solely responsible for it.
- Forensic Resistance: Measures are implemented so that even if an attacker gains physical access to RAM or system dumps, they will find no readable traces of your information.
The boveda-core engine is an independent component responsible for protecting sensitive data:
- Blind Storage: SQLite + SQLCipher database with AES-256-CBC encryption. We protect not only the entries but also the schema, indexes, and metadata.
- Secrets: Each individual entry is additionally encrypted using ChaCha20-Poly1305, providing Authenticated Encryption with Associated Data (AEAD).
- Brute-Force Protection: We implement Argon2id (Parameters: 64MB RAM, 3 iterations, 4 threads), the Password Hashing Competition standard, configured to be costly on specialized hardware (ASIC/GPU).
- Zeroization: RAM is physically overwritten with zeros as soon as a secret is no longer needed, mitigating memory reuse attacks.
- Non-Swappable RAM: We implement
mlock/VirtualLockto prevent master keys from ending up in the operating system's swap file on the hard drive. - Process Hardening: Core dumps are disabled, and process inspection is blocked using OS-level security policies.
flowchart TD
UI["Svelte 5 Interface"] -- "Secure IPC" --> Tauri["Orchestration Layer"]
Tauri -- "Rust Commands" --> Core["Bóveda-Core (Rust)"]
Core -- "Encryption" --> DB[("SQLite + SQLCipher")]
Core -- "Memory" --> RAM["Zeroized RAM / mlock"]
crates/boveda-core: The core of Bóveda, free of UI dependencies, 100% focused on security.src-tauri: Manages permissions and communication between the webview and the system.src: Our fast, minimalist user interface that makes security feel natural.
Prerequisites:
- Node.js (v20+)
- pnpm (v9+)
- Rust (v1.77+)
- Tauri Prerequisites
# Install dependencies
pnpm install
# Run in development mode
pnpm tauri dev
# Build production binary
pnpm tauri buildWe maintain a "Zero Warnings" standard. You can verify project integrity using:
# Full security audit (Rust + JS)
pnpm securityOr individually:
cargo audit: Checks for vulnerabilities in Rust dependencies.cargo clippy: Strict linter to ensure idiomatic and secure code.pnpm audit: Checks the Node.js ecosystem.
If you share our vision of uncompromised privacy, your PRs are welcome. Please read our Contributing Guide and review the ROADMAP.md to see what we are working on.
Bóveda is free software under the GPL-3.0 license.
| Document | Description |
|---|---|
| CONTRIBUTING.md | Guide for contributors |
| CODE_OF_CONDUCT.md | Community code of conduct |
| CODE_SIGNING_POLICY.md | Code signing policy |
| SECURITY.md | Security policy and vulnerability reporting |
| PRIVACY.md | Privacy policy |
| CHANGELOG.md | Change log |
- Free code signing provided by SignPath Foundation.