HomeFAQ

Frequently Asked Questions

Everything you need to know about VaultSort. Can't find the answer you're looking for? Reach out to us.

|

Encryption & Security

VaultSort's current format is V4. Files are encrypted with AES-256-GCM (authenticated encryption). The random per-file key is sealed with AES-256-KWP (RFC 5649) using a wrap key derived through HKDF-SHA-256 from a hardware secret — see the next question.

The full algorithm chain, byte-level file format, and threat model are documented in our free Security Design Document. Older files (V1–V3) remain fully readable.

Yes. We publish a free, in-depth Security Design Document (whitepaper) covering the threat model, the full cryptographic design, the file format, algorithm choices, and the limitations we're honest about. No email required. For a plain-language overview, see the how encryption works page.

The hardware never sees the file's AES key, and the key that protects your files can only be produced by your physical hardware. The entire WebAuthn/FIDO2 ceremony happens locally — no IDP, no network call, no third-party identity service.

Here's the V4 flow: VaultSort generates a random 256-bit file key. Your authenticator computes a WebAuthn PRF output — an HMAC of a per-credential salt using a secret that lives only inside the YubiKey chip (or Apple's Secure Enclave for Touch ID) and never leaves it. That output is run through HKDF-SHA-256 with a random per-file salt to derive a wrap key, which seals the file key via AES-256-KWP.

The crucial property: an attacker who steals your encrypted file and a complete copy of VaultSort's credential database still cannot decrypt anything, because the hardware's internal secret isn't in either place. (In our older V3 format the wrap key was derivable from stored credential metadata — V4 closes that gap, which is exactly why we rebuilt it.)

Yes — Touch ID encryption is new in V4. Register Touch ID and it becomes your primary key: VaultSort prompts for your fingerprint automatically, no YubiKey required. It uses the same hardware-bound V4 path, backed by Apple's Secure Enclave.

Touch ID encryption requires macOS 14 Sonoma or later, and during setup you must save the passkey to iCloud Keychain. Learn more on the Touch ID page.

  1. Click the YubiKey status widget in VaultSort to open Key Settings, then register a YubiKey or Touch ID.
  2. Save the one-time recovery code you're offered (store it in a password manager).
  3. Select any file and click Encrypt with Key. Authenticate, and the file is replaced by an encrypted .webauthn.enc file.
  4. Optionally use Add backup key right after to let a second key open the same file.

To decrypt, select the encrypted file, click Decrypt with Key, and authenticate. A full walkthrough lives on the encryption page.

This is expected, and it happens for both YubiKey and Touch ID. The WebAuthn standard VaultSort uses needs a real browser to talk to your hardware key — a desktop app can't do it directly. VaultSort hands only the authentication step to your browser, which runs entirely on your own machine (a local localhost address). Nothing about your files is sent over the internet, and the tab closes by itself.

VaultSort works best with a Chromium-based browser (Chrome, Edge, or Brave) as your default. Safari and Firefox may not support the WebAuthn PRF extension that V4 encryption depends on.

Any modern FIDO2 key that supports the WebAuthn PRF (hmac-secret) extension — including the YubiKey 5 series and the Security Key series, plus comparable keys from other vendors. Older U2F-only devices (such as the YubiKey 4) are not compatible. VaultSort verifies PRF support during registration, so an incompatible key is rejected with a clear message before it's added.

A single encrypted file can hold multiple wrapped key slots, so any key that was added to that file can decrypt it independently. Register a backup key (or both a YubiKey and Touch ID) and add them to your important files, and losing one key doesn't lock you out.

As a final backstop, VaultSort generates a recovery code — a 20-character passphrase hardened with Argon2id — when you register your first key. If every hardware key is lost, the recovery code can still decrypt your files. Store it like a wallet seed phrase.

Credentials registered before V4 were enrolled without a PRF salt, which V4 requires for hardware-bound key derivation. They can still decrypt your existing V3 files, but can't encrypt new V4 files. To fix it, open Key Settings and register the same physical key again — the new registration is V4-capable. Archive (don't delete) the old one so it stays available for older files.

GPG is solid, but it's a general-purpose, CLI-first tool. VaultSort is not a GPG wrapper — it uses its own hardware-bound V4 flow (AES-256-GCM with WebAuthn PRF key derivation) and is built for day-to-day desktop use:

  • Simpler UX with a native macOS interface
  • Native YubiKey / Touch ID / WebAuthn flow — no terminal commands needed
  • Multi-key support and recovery codes for backup and recovery
  • Built-in file operations (organize, deduplicate, secure delete) in one app

No personal data or file contents are ever sent to the cloud. All encryption, decryption, file organization, and deletion happens entirely on your Mac. The WebAuthn step runs on a local localhost address only.

The one exception is the AI Job Builder: when you ask it to generate a job, only your plain-English prompt and the instructions for producing the rule JSON are sent to the LLM provider you've configured (OpenAI, Anthropic, or Google Gemini). Your files, file names, and folder contents are never transmitted. A fully local AI option for file categorization is also available.

Note: if you use Touch ID, its passkey syncs through your iCloud Keychain (Apple's end-to-end encrypted service). YubiKey credentials never sync anywhere.

Secure Deletion

Go to System Resources → Devices. On each disk, you'll see a red trash icon for Disk Shred and an orange brush icon for Freespace Overwrite.

Apple removed Secure Erase from Disk Utility because traditional overwrite methods don't reliably work on SSDs due to wear-leveling and block remapping.

VaultSort fills this gap with SSD-aware deletion: TRIM-based invalidation, metadata scrubbing, anti-wear-leveling patterns, and cryptographically random overwrites — designed for how flash storage actually works.

For your primary system disk with FileVault, you're already well-protected. VaultSort's shredding is most useful for:

  • External drives that were never encrypted
  • Shared or re-used drives
  • Scenarios where you want to securely clear specific files or free space without reformatting

Licensing & Pricing

3 devices. Your one-time purchase covers up to 3 Macs.

No. VaultSort is a one-time purchase$24.99 for a lifetime license. No recurring charges, no hidden fees.

Yes! The free version includes genuinely useful features:

  • Automatic file and folder organization
  • Disk and folder analysis
  • Large file discovery
  • Storage breakdown and directory browsing

Premium unlocks duplicate detection, secure deletion, disk shredding, encryption, and advanced organization with the AI Job Builder.

General

VaultSort is built by a human developer — Justin Haubrich, a software engineer since 2019. AI tools assist with some development tasks (like any modern dev workflow), but the architecture, security design, and every release are written, reviewed, and tested by the developer.

System & Compatibility

  • macOS 12 (Monterey) or later
  • Apple Silicon only (M1, M2, M3, M4)

Intel Macs are not supported.

Yes. VaultSort is Apple-notarized and runs natively on Apple Silicon. It's distributed directly from our website — no App Store intermediary.

Features

The AI Job Builder lets you create file organization automations by describing what you want in plain English — for example: "Move all screenshots older than 30 days to ~/Archive/Screenshots, organized by month."

It generates the complete rule set (predicates, logic groups, folder structure) in seconds. You review it, edit if needed, dry-run it, then execute. You bring your own API key (OpenAI, Anthropic, or free Google Gemini).

Hazel is mainly for file automation rules. VaultSort covers organization too, but also adds:

  • Undo for all organization runs
  • Duplicate file detection and removal
  • Secure deletion and disk shredding
  • Hardware-bound AES-256 encryption with Touch ID or YubiKey
  • Storage cleanup, large file finder, and cache cleaning
  • AI-powered job builder for plain-English automation

VaultSort is better if you want one utility that covers cleanup + organization + security, rather than just file automation.

Yes. Every organization operation is logged and fully undoable — one-click rollback per file. Before anything moves, you can also run a full dry-run preview showing every file, where it would go, and which rule is responsible.

Rules are stored locally as JSON in an AST (Abstract Syntax Tree) format. The LLM generates the AST once, and from then on the rule is just data on your disk — it doesn't re-query the model and won't drift or change over time.

Because the format is plain JSON, jobs are stable across app updates and can easily be exported, shared, and imported into VaultSort.

By default, AI Job Builder requests go to a cloud LLM (OpenAI, Anthropic, or Google Gemini, depending on the API key you provide). Only your plain-English prompt and the instructions for producing the rule JSON are sent — no file data, file names, or folder contents.

A local AI model option for file categorization is also available, so sensitive workflows can stay fully on-device.

The organization and analysis backend is written in Rust, which produces highly performant native binaries and handles tens of thousands of files comfortably. The main limitation is the Contains predicate (which matches on file content): for performance reasons it only inspects files up to 16 MB.

Several layers protect against bad moves:

  • Dry Run — preview every file move a job would make before executing it.
  • Configurable collision strategies — the default is to rename rather than overwrite, so existing files are never silently replaced.
  • Full undo — every organization run is logged and can be rolled back per file with one click.

Still have questions?

We'd love to hear from you. Send us a message and we'll respond as soon as possible.

Stay Updated with VaultSort

Updates, security tips, and feature announcements. No noise.

No spam. Unsubscribe at any time.