Your files are locked to hardware you hold.
Not a password you can forget or leak. VaultSort encrypts each file with a key that can only be produced by your physical YubiKey or your Mac's Touch ID — and nothing else.
What “hardware-bound” actually means
The difference is where the key comes from.
Keys come from a password
Steal the encrypted file and crack (or phish) the password, and the data is exposed. Steal the app's stored configuration and you might derive the key without the password at all.
Keys come from hardware
The key is derived from a secret sealed inside your YubiKey chip or Apple's Secure Enclave. An attacker with your file and a full copy of VaultSort's credential database still gets nothing — the secret was never in either place.
What happens when you encrypt
Four steps, every time — for technical readers.
- 1A random file key is generated
VaultSort creates a fresh 256-bit key for this file. It’s never reused and never stored in the clear.
- 2Your hardware produces a PRF output
Your authenticator computes an HMAC of a per-credential salt using a secret that never leaves the device — 32 bytes only it can produce.
- 3HKDF-SHA-256 derives a wrap key
The PRF output is mixed with a random per-file salt and your credential ID to produce a wrap key unique to this file.
- 4AES-256-KWP + AES-256-GCM
The wrap key seals the file key (authenticated), then AES-256-GCM encrypts the body with the whole header authenticated. Any tampering aborts decryption.
Want the byte-level format and parameters? Read the whitepaper →
How to encrypt your first file
New to VaultSort? Five steps and you're protected.
Register a key
Click the YubiKey status widget in VaultSort to open Key Settings, then register a YubiKey or your Mac’s Touch ID. A browser tab opens briefly to complete the secure handoff — that’s expected.
Save a recovery code
When you register your first key, VaultSort offers a one-time recovery code. Store it in your password manager. It’s your way back in if every hardware key is ever lost.
Encrypt a file
Select any file and click Encrypt with Key. VaultSort uses your primary key automatically and replaces the file with an encrypted .webauthn.enc file.
Add a backup key (optional)
Right after encrypting, add a second key to the same file so either one can open it. Only keys you explicitly add can decrypt a given file.
Decrypt when you need it
Select the encrypted file, click Decrypt with Key, and authenticate. VaultSort tries Touch ID first, then your YubiKey — no need to choose manually.
Multiple keys, one file
A single encrypted file can carry several wrapped key slots. Register a YubiKey and Touch ID, add both to a file, and either one opens it independently. Lose one — the other still works.
A recovery code as backstop
A 20-character passphrase, hardened with Argon2id, adds a final slot to your files. If every hardware key is lost, it's your last line of defense. Treat it like a wallet seed phrase.
What we're honest about
Convenient — your key follows you to a new Mac — but it means your Apple account is part of the chain. If that worries you, use a YubiKey, which never syncs anywhere.
If someone has your unlocked Mac, your PIN, and your biometrics, they can authenticate as you. No file encryption defends against that.
A recovery code in an unprotected note is the same as leaving your files unencrypted. Put it in a password manager or print it.
The complete threat model — including what we explicitly don't cover — is in the Security Design Document.
Encrypt your first file today
Free to try. Works entirely offline. No account required.