Skip to content
/ XVault Public

XVault is a fully offline, hardware-backed secure vault for storing card metadata. It uses Android Keystore, biometric-bound encryption, encrypted recovery, anti-theft protections, and zero cloud dependency. Your data never leaves your device ever.

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

greenbugx/XVault

BranchesTags

Repository files navigation

Scrape!

XVault 🔐

XVault is a fully offline, security-first Android vault designed to store sensitive card metadata (credit, debit, prepaid) without ever relying on the cloud.

Unlike typical “password manager” apps, XVault is built around hardware-backed encryption, biometric authentication, and strict runtime security rules. Your data lives only on your device, encrypted at rest and protected in memory.

✨ Key Features

  • 🔒 Hardware-backed encryption (Android Keystore)
  • 🧬 Biometric-bound access (fingerprint / device biometrics)
  • 🗝️ Master Vault Key (MVK) architecture
  • 🧠 Encrypted recovery using security questions
  • 🛑 Anti-theft protections (biometric changes, device state changes)
  • 📴 100% offline — no internet, no cloud, no servers
  • 🧹 Secure clipboard handling
  • ⏱️ Automatic vault locking on inactivity
  • 🔐 Tamper detection via integrity checks

🧠 How XVault Works (High Level)

  • A random 256-bit Master Vault Key (MVK) is generated on first run.
  • The MVK is encrypted using a biometric-protected key stored in the Android Keystore.
  • Vault data is encrypted with the MVK using AES-GCM.
  • A secondary encrypted recovery path is created using a key derived from a user-defined security answer.
  • The MVK exists only in memory while the vault is unlocked.

For a deeper explanation of the cryptographic design, threat model, and security guarantees, see SECURITY.md.

🚫 What XVault Does NOT Do

  • ❌ No cloud sync
  • ❌ No servers
  • ❌ No CVV storage
  • ❌ No full card numbers
  • ❌ No analytics or tracking
  • ❌ No background data access

🤝 Contributing

Contributions are welcome — especially those that improve security, reliability, or UX.

You can contribute by:

  • 🐞 Reporting bugs or edge cases
  • 🔍 Performing security reviews or audits
  • 🧠 Suggesting architectural improvements
  • 🧪 Adding tests (unit, integration, or security-focused)
  • 🎨 Improving UI/UX while preserving security guarantees

How to contribute

  1. Fork the repository
  2. Create a new branch
  3. Make your changes with clear commit messages
  4. Open a pull request describing what changed and why

If your contribution affects security-sensitive code, please explain your reasoning clearly.

🔐 Security

Security issues should be handled responsibly.

  • Please do not open public issues for vulnerabilities.
  • Refer to SECURITY.md for the security policy, threat model, and reporting guidelines.

⚠️ Disclaimer

XVault is a security-focused personal project. While strong cryptographic practices are used, it is not certified for financial compliance (e.g., PCI-DSS).

Use responsibly.

Built with care, paranoia, and respect for user privacy.

About

XVault is a fully offline, hardware-backed secure vault for storing card metadata. It uses Android Keystore, biometric-bound encryption, encrypted recovery, anti-theft protections, and zero cloud dependency. Your data never leaves your device ever.

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

XVault v1.0.0 Latest
Jan 25, 2026

Languages