Vault & Security
Security model
PentestPath stores all session data locally. There is no cloud sync and no remote storage by default. The vault layer adds optional password protection and encryption on top of that local storage.
Vault setup
The vault is optional. If you skip setup, session data is stored in plain local app state.
When you set up the vault:
- Choose a master password.
- Optionally add a hint visible on the unlock screen.
- The vault initializes and all session data is encrypted immediately.
After setup, PentestPath prompts for the master password on launch before any session data is accessible.
Encryption
When the vault is active, session data is encrypted using:
- AES-256-GCM for data at rest
- Argon2id as the key derivation function, with memory-hard parameters to resist brute force
The encryption key is derived from your master password and never stored directly on disk.
Two-factor authentication (TOTP)
TOTP is optional and requires an active vault first. When enabled:
- unlock requires the master password followed by a 6-digit TOTP code
- compatible with Google Authenticator, Authy, and any standard TOTP app
- setup provides a QR code to scan with your authenticator app
- the TOTP secret is stored encrypted inside the vault
Auto-lock
Configurable inactivity timeout in Settings. Available durations: 5 min, 15 min, 30 min, 1 hour, or never.
When the vault auto-locks, session data becomes inaccessible until you re-enter your credentials.
Password change
You can change the master password from Settings while the vault is unlocked. The vault is re-encrypted transparently with the new derived key.
Hint
The password hint is stored unencrypted and displayed on the lock screen. Do not put the actual password or a direct answer in the hint field.
Reset
If you lose access and cannot recover through normal flows, a vault reset permanently removes all encrypted local data. See Vault Reset before taking this step.