// SECURITY PRACTICES

## Encryption

## Zero-Knowledge Architecture

PassFX implements a true zero-knowledge design:

• Your master password never leaves your machine in any form
• Encryption keys are derived locally using PBKDF2 with high iteration count
• No server-side components exist to compromise
• No network connections are ever made by the application
• Even if an attacker obtains your vault file, they cannot decrypt it without your master password

## Air-Gap Compatible

PassFX is designed for air-gapped environments:

• Zero DNS lookups
• Zero HTTP/HTTPS requests
• Zero telemetry or analytics
• Zero update checks
• Works completely offline after installation

## Vault Storage

Your encrypted vault is stored locally:

• File permissions: 600 (owner read/write only)
• Location: User home directory (~/.passfx/)
• Format: Encrypted binary blob
• Backup: Manual only (you control your data)

## Threat Model

PassFX protects against:

• Remote attackers: No network surface to attack
• Cloud breaches: No cloud storage to breach
• Vault theft: Encrypted with strong key derivation
• Brute force: 480,000 PBKDF2 iterations make attacks impractical

PassFX does not protect against:

• Compromised local machine (keyloggers, malware)
• Physical access to unlocked session
• Weak master passwords (use a strong passphrase)
• Social engineering attacks

## Vulnerability Reporting

Found a security issue? We take security seriously.

## Verify Yourself

PassFX is 100% open source. Audit the code yourself: github.com/dinesh-git17/passfx

Security through obscurity is not security. Every cryptographic decision in PassFX is documented and open to scrutiny.