XVaultPro
Offline-first credential manager. AES-256 encryption, dual-vault mode, AI access controls and Shamir estate recovery.
XVaultPro — Encrypted Password Vault
Offline-first, AES-256 encrypted password vault with dual-vault mode and AI access controls.
A Credential Vault Without Compromise
AES-256-GCM authenticated encryption hardened with Scrypt key derivation, operating entirely offline on your own hardware. No browser extensions, no cloud sync, no third-party custody. Dual-vault architecture, AI access controls, and Shamir-based estate recovery deliver enterprise-grade credential management for individuals, families, and organizations.
Full-Spectrum Credential Storage
Passwords, secrets, payment cards, identities and notes — every entry type your organization needs, with integrated TOTP, expiry tracking and version history.
Passwords with TOTP/2FA
Full credential entries with username, password, URL, and integrated TOTP code generation. Auto-copy with configurable clipboard wipe timer.
Secure Notes
Encrypted freeform text for procedures, instructions, legal documents, or any sensitive information that does not fit a structured credential format.
Payment Cards
Masked storage for card numbers, expiry dates, CVV, and billing addresses. Display is masked by default with reveal-on-demand.
Identity Profiles
Structured identity data including name, address, phone, email, government IDs, and organization details. Used for form-fill and identity verification workflows.
Secrets and Keys
API keys, SSH keys, access tokens, recovery codes, and certificates. Environment-tagged (Production, Staging, Development, Test) with expiry tracking and rotation warnings.
Expiry and Rotation
Configurable expiry dates with automatic warnings at 90, 180, and 365-day thresholds. Password version history retains up to 20 previous values per entry for rollback.
Built for the Agentic Era
"No AI access by default." The first credential manager engineered from the ground up to contain AI agents and automation with scoped identities, TTLs, human approval gates and full session audit.
AI Paste Guard
Detects when AI tools, LLM interfaces, copilot extensions, and agent frameworks are running on the host. Warns before any clipboard operation that could expose credentials to model context windows, logging pipelines, or third-party plugins.
AI Agent Vaulting
Scoped machine identities with configurable TTL (time-to-live), retrieval count limits, and category restrictions. Agents receive only the credentials they need, for exactly as long as they need them. No standing privileges.
Human Approval Gates
Sensitive credentials can be flagged to require live human approval even for internal agents and automation. No automated system can retrieve gated secrets without an explicit operator confirmation.
AI Policy Engine
"No AI access by default" as a product principle. Policies define which credential categories, environments, and entry types are accessible to machine identities. Everything is denied unless explicitly permitted.
AI Session Audit
Every credential retrieval is logged with full context: requester identity, timestamp, credential accessed, retrieval method, and session duration. Complete audit trail for compliance and forensics.
Ephemeral Credentials
Machine credentials are issued with automatic expiration. No standing access, no persistent tokens, no long-lived API keys for automation. When the TTL expires, the credential is revoked without operator intervention.
Five-Stage Pre-Auth Airlock
Before the master password is ever committed, XVaultPro inspects the environment, scans for active threats and lets the operator choose the correct vault partition or trigger emergency controls.
Trust Status Verification
Device trust, application integrity, and network status are verified and displayed before the unlock prompt. The operator sees the security posture of the environment before committing their master credential.
Pre-Auth Threat Assessment
Sentinel scans against Global Threat Database signatures from ThreatFox, MISP, MalwareBazaar, and other industry threat intelligence sources. Clipboard hijackers, keyloggers, RATs, screen capture tools, and cryptominers are detected and optionally terminated before the master password prompt appears.
Identity Lane Selection
Compartmentalized access by context. Operators select their identity lane to ensure the correct vault partition is loaded for the current operational context.
Safe Action Strip
Emergency erase, restricted access mode, and lockdown controls are accessible pre-authentication. The operator can activate defensive controls without unlocking the primary vault.
Multiple Unlock Paths
Master password, dual-vault PINs, and future support for passkeys and hardware security keys. Each unlock path can route to different vault partitions.
Active Threat Intelligence
Sentinel-powered threat detection bundled locally with no external API calls. Every scan, every lookup, every breach check runs entirely offline.
Sentinel Integration
Global Threat Database signatures from ThreatFox, MISP, MalwareBazaar, and other industry intelligence sources. Bundled locally with no external API calls required.
Startup Scan
Auto-detects and optionally terminates clipboard hijackers, keyloggers, RATs, screen capture malware, debuggers, memory tools, and cryptominers before the master password is entered.
Breach Detection
Local SHA-256 hash database of compromised passwords. All breach checking is performed entirely offline against the bundled database. No credentials are ever transmitted to external services.
Phishing Detection
Levenshtein distance analysis against 50 legitimate domains to detect typosquatting and homoglyph attacks in stored URLs. Flags suspicious entries on import and during audits.
Missing MFA Detection
Identifies credentials that lack two-factor authentication and flags them as elevated risk in the vault health assessment. Recommendations include TOTP setup instructions.
Password Age Tracking
Monitors credential age against configurable rotation policies. Stale credentials at 90, 180, and 365-day thresholds are surfaced with severity-appropriate warnings.
Six Classes of Hostile Process
The malware scanner runs before the master password prompt appears. Threats are detected and optionally terminated so they never see a decrypted vault.
Clipboard Hijackers
Detects processes that monitor or modify clipboard contents, a common vector for credential interception and address substitution attacks.
Keyloggers
Identifies known keylogging software and suspicious input-monitoring processes that could capture the master password during entry.
Screen Capture
Detects screen recording and screenshot tools that could capture vault contents while credentials are displayed.
Remote Access Trojans
Identifies known RAT signatures that could provide remote attackers with real-time visibility into vault operations.
Debuggers and Memory Tools
Detects debugging tools and memory inspection utilities that could extract decrypted credentials from process memory.
Cryptominers
Identifies unauthorized mining processes that indicate a compromised host and potential for broader malware activity.
Two Vaults, One Installation
Two independent encrypted partitions unlocked by different PINs. Identical UI, identical timing, plausible deniability by design.
Two Independent Vault Partitions
Two separate encrypted partitions, each unlocked by its own PIN. Each partition uses an independent key derivation and holds its own credentials. Both are encrypted with AES-256.
Per-Vault Placeholder Data
Each vault can be populated independently. The secondary vault can be pre-loaded with placeholder credential entries derived from the user's name, so it stays usable as a separate working space.
Identical UI Rendering
Both vaults use identical UI rendering paths and response times. There is no visual or timing difference in the application surface between the two partitions.
Emergency Erase + Cryptographic Engine
Instant switch via Emergency Erase. The cryptographic engine uses AES-256-CTR with PBKDF2-SHA256 at 500,000 iterations for the seed transformation layer. Decrypted credentials exist in process memory only during active use.
Estate Recovery Without Custody
Shamir Secret Sharing over GF(256) lets you split vault access across trusted beneficiaries with a configurable K-of-N threshold — no single share reveals anything.
Estate / Beneficiary Recovery
Shamir Secret Sharing over GF(256) with configurable K-of-N threshold. Vault access can be reconstructed by any K of N designated beneficiaries, each holding a single share. No single share reveals any information about the vault contents.
Emergency Contact Delegation
Emergency-only secure notes accessible pre-authentication via a separate PIN. Designated contacts can retrieve specific items (not full vault access) without the master password.
Restricted Access Mode
Temporarily hide selected credential categories from the unlocked vault view. Hidden entries remain encrypted on disk and are not decrypted or displayed until the mode is deactivated.
Memory Protection / Erase
On lock and exit, decrypted credentials are overwritten in process memory through triple garbage collection, variable zeroing, and immediate process exit. Available as an explicit action for end-of-life or compromised devices.
Portable, Self-Contained Backups
.xvault backups are independently encrypted with fresh salt and AES-256-GCM. Restore merges intelligently and re-encrypts with current key material.
Encrypted .xvault Backups
Portable backup files encrypted with fresh salt and AES-256-GCM. Backup to USB drives, local directories, or external storage. Each backup is independently encrypted and self-contained.
Merge and Restore
Restore from any backup file using the file picker. Import merges entries intelligently, skipping duplicates. Restore operations re-encrypt all data with the current vault's key material. No plaintext intermediate state.
Technical Specifications
Feature Comparison
XVaultPro compared against four established credential management products across the capabilities that matter most in the agentic era.
| Feature | XVaultPro | Competitor 1 | Competitor 2 | Competitor 3 | Competitor 4 |
|---|---|---|---|---|---|
| Offline-First Architecture | |||||
| AI Access Controls | |||||
| AI Agent Vaulting | |||||
| Human Approval Gates | |||||
| Dual-Vault Mode | |||||
| Estate Recovery (Shamir) | |||||
| Emergency Contact Delegation | |||||
| Startup Malware Scan | |||||
| Stealth Storage | |||||
| Restricted Access Mode | |||||
| Vault Health Score | |||||
| Breach Detection | |||||
| Phishing Detection | |||||
| No Browser Extension Required |