This project must declare MPL-2.0-or-later for platform/tooling compatibility.
Philosophy: Palimpsest. The Palimpsest-MPL (PMPL) text is provided in license/PMPL-1.0.txt, and the canonical source is the palimpsest-license repository.
Keep Your Digital Identity Safe — Even From Future Threats
A Svalinn-based Vault stores your digital identities securely. It goes beyond typical password managers to protect your most sensitive credentials.
-
SSH keys — Secure shell access to servers
-
PGP/GPG keys — Email encryption and file signing
-
Personal Access Tokens — GitHub, GitLab, cloud services
-
API credentials — REST, GraphQL, gRPC endpoints
-
OAuth2/JWT tokens — Third-party app access
-
X.509 certificates — Code signing and authentication
-
Decentralised Identifiers (DIDs) — Web3 identity
-
WireGuard keys — VPN connections
Most password managers store passwords. RGT Vault stores cryptographic keys and tokens that control access to your entire digital life.
| Feature | What It Means |
|---|---|
Quantum-safe encryption |
Protected even when quantum computers become powerful enough to break current encryption |
Mathematically proven security |
Computer proofs verify that critical security properties always hold |
Zero-knowledge storage |
Your credentials are unreadable scrambled fragments until you need them |
Open source |
Anyone can inspect, audit, and improve the code |
# Using Nix (recommended)
nix profile install github:hyperpolymath/reasonable-good-token-vault
# Using Guix
guix install -f guix.scm
# Container deployment
podman pull ghcr.io/hyperpolymath/svalinn-vault:latest# Create your vault
svalinn-cli init
# Add an SSH key
svalinn-cli add ssh --name "my-server-key" --path ~/.ssh/id_ed25519
# Add a GitHub token
svalinn-cli add pat --name "github-token" --host github.com
# List your credentials (shows GUIDs only)
svalinn-cli list
# Retrieve a credential
svalinn-cli get a7f2c3d4-e5b6-4a8c-9d0e-f1a2b3c4d5e6Your credentials pass through several security layers:
Your Password
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ ARGON2ID (64 MB Memory) │
│ Turns your password into a strong encryption key │
│ Memory-hard: Stops GPU/ASIC password cracking │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ KYBER-1024 (Post-Quantum Encryption) │
│ Wraps your data in quantum-resistant encryption │
│ 256-bit security against both classical and quantum attacks │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ AES-256-GCM (Data Encryption) │
│ Military-grade authenticated encryption │
│ Detects any tampering instantly │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ FRAGMENTED GUID STORAGE (Redacted) │
│ Credentials split into pieces, names scrambled │
│ Attacker sees only meaningless GUIDs │
└─────────────────────────────────────────────────────────────────┘Every credential becomes a unique identifier (GUID). Names and details get scrambled. Even if someone accesses your vault, they see only:
a7f2c3d4-e5b6-4a8c-9d0e-f1a2b3c4d5e6: [ENCRYPTED FRAGMENT 3/5] b8c3d4e5-f6a7-5b9d-0e1f-a2b3c4d5e6f7: [ENCRYPTED FRAGMENT 1/5]
No way to tell what these are or what they’re for.
Your credentials only become complete when you actually need them:
-
Request — You ask for a specific GUID with authentication
-
Gather — System collects encrypted fragments
-
Assemble — Fragments combined into complete credential
-
Deliver — Encrypted for transport to your application
-
Erase — All temporary data wiped from memory
The complete credential exists only briefly in a secure container. It never gets stored in unencrypted form.
-
IPv6 only — All IPv4 connections blocked
-
WireGuard VPN — Traffic encrypted through AirVPN
-
Honeypot services — Fake ports catch attackers early
-
Stripped headers — No version leaks or fingerprinting
-
Multi-factor authentication — Password plus TOTP code
-
Anti-AI CAPTCHA — Stops automated attacks
-
Variable login delays — Blocks brute-force guessing
-
Time-locked windows — Limit when access is allowed
-
Automatic lockout — Failed attempts trigger protection
When locked, your vault files become completely inaccessible:
# File permissions when locked
chmod 000 /vault/data/* # No read, write, or execute
chmod 000 /run/svalinn.sock # Socket inaccessible
# Additional protection
- Chroot jail containment
- SELinux type enforcement
- Memory obfuscationWe don’t just hope the security works. We prove it mathematically.
| Tool | What It Proves |
|---|---|
Coq |
Theorems about encryption properties and state transitions |
Z3 |
SMT proofs for cryptographic parameter correctness |
Echidna |
Property-based fuzzing for invariant violations |
These proofs run automatically on every code change.
| Algorithm | Standard | Purpose |
|---|---|---|
Kyber-1024 |
NIST ML-KEM (Level 5) |
Post-quantum key encapsulation |
Dilithium5 |
NIST ML-DSA (Level 5) |
Post-quantum digital signatures |
Ed448 |
RFC 8032 |
Classical digital signatures |
AES-256-GCM |
NIST SP 800-38D |
Authenticated encryption |
BLAKE3 |
Uniform output |
Hashing and key derivation |
Argon2id |
RFC 9106 |
Password-based key derivation |
SHAKE3-256 |
NIST FIPS 202 |
Extendable output function |
The vault uses memory-safe languages throughout:
-
ATS (Applied Type System) — Core vault logic with dependent types
-
Zig — Low-level cryptographic bindings
-
Idris2 — IPv6 packet handling with proofs
-
Guile Scheme — Configuration and data format
-
Nickel — Runtime configuration with type checking
No C code in security-critical paths. No memory corruption vulnerabilities.
┌────────────────────────────────────────────────────────────────┐
│ HOST SYSTEM (Fedora CoreOS) │
│ SELinux Enforcing │ IPv4 DROP │ IPv6 Only │ WireGuard │
├────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ DELIVERY CONTAINER (Assembly) │ │
│ │ │ │
│ │ • Assembles credentials from fragments │ │
│ │ • Resolves GUIDs to actual names │ │
│ │ • Encrypts for transport │ │
│ │ • Zeroes memory after delivery │ │
│ │ │ │
│ └──────────────────────────┬──────────────────────────────┘ │
│ │ API Socket Only │
│ ┌──────────────────────────┴──────────────────────────────┐ │
│ │ DATA CONTAINER (Chroot Jail) │ │
│ │ chmod 000 when locked │ │
│ │ │ │
│ │ ┌──────────────────────────────────────────────────┐ │ │
│ │ │ VAULT CORE (ATS) │ │ │
│ │ │ Kyber-1024 │ Dilithium5 │ AES-256 │ BLAKE3 │ │ │
│ │ └──────────────────────────────────────────────────┘ │ │
│ │ │ │
│ │ ┌────────────┐ ┌────────────┐ ┌────────────┐ │ │
│ │ │ CUBS │ │ XTDB │ │ Dragonfly │ │ │
│ │ │ (Storage) │ │ (Search) │ │ (Cache) │ │ │
│ │ └────────────┘ └────────────┘ └────────────┘ │ │
│ │ │ │
│ │ ALL DATA: Encrypted GUID fragments, names redacted │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ IPv4 HONEYPOT LAYER │ │
│ │ Ports: 22, 23, 80, 443, 3306, 3389, 5432 │ │
│ └──────────────────────────────────────────────────────────┘ │
└────────────────────────────────────────────────────────────────┘Svalinn Vault is in alpha development. The core architecture is solid, but:
-
Not all credential types are implemented yet
-
TUI is in early development
-
Some edge cases may not be handled
-
Security audit pending funding
Do not use for critical production credentials without additional safeguards.
See ROADMAP.adoc for the path to v1.0.0.
Do not open public GitHub issues for security problems.
Email: security@hyperpolymath.example
See SECURITY.adoc for our disclosure policy and bug bounty information.
Building security software takes time and expertise. We’d love to offer proper bug bounties and pursue formal certification, but that requires funding we don’t currently have.
Every contribution helps us move toward a more secure release.
See SECURITY.adoc for our honest take on the funding situation and what we can currently offer security researchers.
PMPL-1.0-or-later
This ensures derivative works remain open source. Commercial licensing may be available — contact maintainers.
The Palimpsest License overlay encourages thoughtful extension of this work.
Svalinn — From Norse mythology, the shield that protects the world from the sun’s heat.
Your credentials deserve protection that lasts.
