CoraleVault CoraleVault - Free Open Source Password Manager v2025.11.6

Security

Learn how CoraleVault keeps your passwords safe with AES-256 encryption, PBKDF2 key derivation, and military-grade security.

How We Keep Your Passwords Safe

Security sounds complicated, but here’s what it really means: Even if someone steals your computer, they can’t read your passwords without your master password.

The Simple Version

Your Passwords Are Encrypted

When you save a password in CoraleVault, it’s scrambled using AES-256-CBC encryption with HMAC-SHA256 authentication.

Without your master password, the encrypted data looks like random gibberish.

Everything Stays on Your Computer

Your passwords never leave your device. No cloud. No servers. No company storing your data. Just you and your computer.

Open Source Means Trustworthy

All the code is public on GitHub. Security experts can (and do) review it to make sure there are no sneaky backdoors.

What Makes It Secure?

Strong Encryption

In plain English: Your passwords are scrambled using AES-256 encryption.

Why it matters: Even with all the computers in the world working together, it would take billions of years to crack the encryption.

No Password Recovery

In plain English: If you forget your master password, we can’t help you. Nobody can.

Why it matters: This sounds bad, but it’s actually good! It means there’s no “back door” that hackers (or anyone else) can use to access your passwords.

Important: Write down your master password somewhere safe!

Protection Against Guessing

In plain English: If someone tries to guess your master password, the app slows them down dramatically.

Why it matters: After a few wrong guesses, each attempt takes 8+ seconds. This makes it nearly impossible for someone to sit there trying thousands of password guesses.

Memory Protection

In plain English: When CoraleVault is running, your passwords are protected even in your computer’s memory.

Why it matters: Advanced attackers can’t easily steal passwords from your computer’s RAM, even if they get access to your computer.

Common Security Questions

Is my data really safe?

Yes, as long as you:

  • Choose a strong master password (12+ characters, mix of letters, numbers, symbols)
  • Don’t share your master password with anyone
  • Keep your computer reasonably secure (use a login password, don’t install sketchy software)

What if my computer gets hacked?

While CoraleVault is locked: Your passwords are encrypted and safe. Attackers can’t read them without your master password.

While CoraleVault is unlocked: Like any app, if your computer is compromised while you’re using it, an attacker could potentially see what’s on your screen or in memory. Lock the vault when you’re not using it!

What if I forget my master password?

Unfortunately, your passwords will be locked forever. There’s no password recovery—by design. This is the price of true security.

Prevention: Write your master password down and store it somewhere safe (safe deposit box, with a trusted family member, etc.)

Can the government/company access my passwords?

No. Your passwords are encrypted on your computer, and only you have the key (your master password). We don’t have a copy. The government doesn’t have a copy. Nobody does.

What if CoraleVault gets hacked?

Since everything is stored locally on your computer, there’s no central server to hack. Each user’s data is separate and encrypted.

Best Practices

Choose a Strong Master Password

Good examples:

  • MyDog&2Cats!Love2025 (memorable phrase)
  • correct-horse-battery-staple (random words)
  • ILived@123MainSt_Until1995! (personal but complex)

Bad examples:

  • password123 (too common)
  • CoraleVault (too obvious)
  • 12345678 (too simple)

Tip: Longer is better than more complex. A 20-character phrase is harder to crack than an 8-character random string.

Lock When You Step Away

Press Ctrl+L (or Cmd+L on Mac) to lock your vault when you leave your computer.

Back Up Your Vault File

Your passwords are stored in a .vault file. Back it up regularly:

  • USB drive
  • External hard drive
  • Cloud storage (it’s encrypted, so this is safe!)

Keep Your Computer Secure

CoraleVault is secure, but your computer needs to be secure too:

  • Use a strong login password
  • Keep your OS updated
  • Don’t install sketchy software
  • Consider full-disk encryption (BitLocker on Windows, FileVault on Mac)

Technical Details

For the security-minded and technically curious:

Encryption Specs

  • Algorithm: AES-256-CBC (FIPS 197 approved)
  • Authentication: HMAC-SHA256
  • Key Derivation: PBKDF2 with 600,000+ iterations (OWASP 2025 compliant)
  • Random Number Generation: OS cryptographic sources (CryptGenRandom/SecRandomCopyBytes/urandom)

Protection Mechanisms

  • Memory locking: VirtualLock (Windows) / mlock (Linux/macOS)
  • Constant-time comparison: Prevents timing attacks
  • Rate limiting: Exponential backoff on failed attempts
  • Secure memory clearing: SecureZeroMemory before deallocation
  • Zero memory leaks: Verified with Valgrind

Code Quality

  • Language: Modern C++17
  • Memory safety: RAII, smart pointers
  • Architecture: Service-layer design
  • Testing: Comprehensive unit tests
  • Static analysis: Regular security scanning

View full source code on GitHub →

Industry Standards Compliance

CoraleVault meets or exceeds these technical standards:

NIST (National Institute of Standards and Technology):

  • ✅ NIST SP 800-132 - Password-Based Key Derivation (PBKDF2)
  • ✅ NIST SP 800-38A - Block Cipher Modes (AES-CBC)
  • ✅ NIST SP 800-108 - Key Derivation (HKDF)
  • ✅ NIST SP 800-90A - Random Number Generation
  • ✅ FIPS 197 - Advanced Encryption Standard (AES)
  • ✅ FIPS 198-1 - Keyed-Hash Message Authentication (HMAC)

OWASP (Open Worldwide Application Security Project):

  • ✅ OWASP ASVS v4.0 Section 6 - Cryptographic Verification
  • ✅ OWASP Password Storage Cheat Sheet (2025)
  • ✅ OWASP Top 10 - Cryptographic Failures Prevention
  • ✅ OWASP Top 10 - Injection Attack Prevention

CWE (Common Weakness Enumeration):

  • ✅ CWE-259 - No Hard-Coded Credentials
  • ✅ CWE-316 - Cleartext Storage in Memory (Mitigated)
  • ✅ CWE-327 - No Broken/Risky Cryptography
  • ✅ CWE-330 - Cryptographically Strong Random Numbers
  • ✅ CWE-522 - Insufficiently Protected Credentials (Prevented)

Based on comprehensive security audit of v2025.11.4

Verifying Downloads

All releases are cryptographically signed. You can verify your download hasn’t been tampered with.

Quick version:

  1. Download both the installer and the .asc signature file
  2. Import our GPG key: gpg --import GPG-PUBLIC-KEY.asc
  3. Verify: gpg --verify [filename].asc [filename]
  4. Look for: “Good signature from Coralesoft”

Don’t know what GPG is? That’s okay! Most people don’t need to verify. This is for advanced users.

Full verification guide on Download page →

Reporting Security Issues

Found a security vulnerability?

Please DO NOT post it publicly. Email us instead:

Email: dev@coralesoft.nz Subject: SECURITY: CoraleVault Vulnerability

We’ll respond within 48 hours.

Include:

  • What the vulnerability is
  • How to reproduce it
  • What the impact could be

We follow responsible disclosure and will credit you in our security advisories (if you want credit).

Known Limitations

We’re honest about what we can and can’t protect against:

✅ We Protect Against:

  • Someone stealing your vault file
  • Network attacks (since we’re offline)
  • Brute-force password guessing
  • Memory dumps while vault is locked

⚠️ We Can’t Protect Against:

  • You forgetting your master password
  • Keyloggers on your computer
  • Someone looking over your shoulder
  • Attackers with physical access to your unlocked computer

Bottom line: CoraleVault is secure, but you need to keep your computer secure too.

Security Roadmap

Coming soon:

  • Two-factor authentication (TOTP) for app unlock
  • Hardware key support (YubiKey, etc.) for app unlock
  • Biometric unlock (fingerprint, Face ID) for app unlock

See full roadmap →

Questions?

Want to dive deeper? Read the full security documentation on GitHub.