Vortex Vault is an offline, client-side encrypted vault that stores an entire file system inside a single vortex.vault container — like a portable encrypted drive, but as one file.
Everything encrypts/decrypts locally in your browser using modern WebCrypto (AES-256-GCM). No accounts. No storage server. Just a vault you control.
Try it on almost any device: https://vortex.mglabs.dev (client loads there, vault decrypts locally)
Unlock your vault locally, manage files like in a file explorer. Rename or delete folders or files in your vault quickly and easily. View notes, images, videos, documents, and even audio all inside Vortex Vault. Vortex supports all common file types (from .zip to .wav). Pressing Save & log out downloads your encrypted vault and clears the active browser session.
A lot of encryption tools are strong, but the workflow often breaks down when you want all of these at the same time:
- strong encryption
- encrypted metadata (not just file contents)
- authenticated encryption detects modification
- portable storage that works anywhere without installing an app
- the ability to keep backups wherever you want
- a clean, file-explorer style interface that doesn’t fight you
- a way to really securely and easily share files around the world without uploading them to a server - requires an internet connection
- we record absolutely zero logs or analytics about you or how you use Vortex Vault
- the vault works fully offline and disconnected from the rest of the world
- as long as your device has a modern web browser and ok hardware, the vault can be loaded from the html file.
Vortex Vault is built to hit that sweet spot: simple enough for daily use, but serious enough for journalists, researchers, engineers, and teams who want strong security without needing a complicated stack.
This is the safest and simplest way to use Vortex Vault.
- Download the
VortexVault.htmlfile from this repo, or load it from the official public link: https://vortex.mglabs.dev, or load it from your self-hosted source. - Open the app:
- open the html file in a modern browser
- or visit the official public link to load it on almost any device anywhere
- Click New vault to make a new
vortex.vaultfile or Open Vault to load an existing one. - Use a strong password
- minimum 12 characters
- must include uppercase, lowercase, numbers, and symbols
- if the password is lost, the vault cannot be recovered.
- Add content:
- Add Content → Import files / Paste files or text / Make new folders / make new text notes
- or drag-and-drop into the file list
- When done, click Save & log out
- your encrypted
vortex.vaultfile downloads - the active session is cleared
- your encrypted
To reopen later: Open vault → select your vortex.vault file → enter password.
A vortex.vault file isn’t just “encrypted files in a bundle.” It’s a structured container that holds:
- folders
- files (any binary format)
- encrypted text notes editable inside the vault
- previews for various media types
- an encrypted index that describes the whole vault
It behaves like a portable encrypted drive you carry as one file.
Some tools encrypt file contents but still leak file names, structure, and hints of what’s inside.
In Vortex Vault:
- the vault index (names, folder layout, types, timestamps, sizes) is encrypted
- records are encrypted individually
- tampering is detected automatically (AES-GCM integrity)
If someone steals your .vault, they don’t get filenames, folder structure, or clues about what’s inside.
Vortex Vault is designed to be safest offline, but it stays flexible:
- run locally from an HTML file on an offline machine
- run on an air-gapped device
- host it on a private intranet
- or use the official public endpoint at vortex.mglabs.dev to access the interface from anywhere
A .vault file is simply a file, so you can store it anywhere. On your local disk, USB drive, encrypted cloud storage, multiple publicly hosted backups, whatever you prefer.
-
Investigative journalist crossing borders
A reporter keeps source identities, meeting notes, and draft stories inside a.vaultfile that’s mirrored across a couple of commodity VPS hosts. They travel with a “clean” device and pull the vault down from whatever computer they can access, then decrypt it in a browser using either the hosted client or a saved local HTML copy. If a laptop is searched or a server is scraped, the attacker gets a single opaque file: no filenames, no folder structure, no hints about which sources exist. For extra safety, the reporter keeps a harmless outer vault and a deeper vault with a separate passphrase for the most sensitive material. -
Safely documenting abuse or harassment
Someone quietly collecting evidence (photos, screenshots, audio notes, incident timelines) stores it in a.vaultfile that sits in ordinary cloud storage and a second copy on a removable drive. The key detail is metadata secrecy: even if the file is discovered, there’s nothing to preview, nothing to sort through, and nothing that reveals what’s inside or how it’s organized. They can later recover it from any device that has a modern browser, without depending on a specific app installation. -
Public-interest whistleblowing with staged disclosure
A whistleblower preserves emails, PDFs, and logs in a.vaultfile and shares only the encrypted blob (for example via a neutral file host), while distributing the passphrase through a separate channel. They use nested vaults to control blast radius: an outer vault contains non-identifying context suitable for initial legal review, while inner vaults contain originals and identifying details behind different passwords and stronger key-derivation settings. If any single key is compromised or coerced, deeper layers can still remain protected.
Vortex Vault includes Direct Share: a practical way to transfer a file directly between devices without uploading it to a storage service.
- Peer-to-peer transfer over WebRTC DataChannels
- No file hosting, no upload server, no storage backend
- Application-layer encryption in addition to WebRTC transport encryption
- Receiver can either:
- download the file to their device (if they open the share link without a vault loaded), or
- import directly into their vault (if they already have a vault open)
Direct Share is built to be as simple and usable as possible without any storage servers in between. To share a file you simply click on what you want to share and then press "Direct Share". From there it automatically generates a link. You simply send it to someone you know and trust through a secure platform, then they click your link, send you the link generated by their Vortex Vault, and you simply click that link they send back and the file transfer starts automatically, directly between your browsers securely across the internet. With absolutely no servers holding, or even getting a glimpse at, your transferred file.
- AES-256-GCM encryption (WebCrypto)
- PBKDF2-SHA256 key derivation with a 1,000,000 iteration count
- Encrypted index + encrypted records
- Every record uses a fresh random 12-byte IV
- The index is encrypted separately with its own IV
- Integrity is built-in via AES-GCM authentication
- Folders + nested organization
- Breadcrumb navigation
- Search for any of your files easily inside any folder
- Drag-and-drop import
- Rename / delete
- Export any file back out
- Create encrypted text notes
- Edit in place
- Save updates without leaving the app
- Image viewer
- Video player
- PDF viewer
- Audio player
Vortex Vault isn’t only “encrypt the bytes.” When you import content, it can apply privacy-focused transformations that reduce tracking/correlation across systems.
Current strongest privacy handling is implemented for visual media:
- Images are decoded and re-encoded as PNG:
- strips metadata by design
- max dimension size of 4,000px by 4,000px to reduce extreme inputs
- output is normalized (
.png)
- Videos may receive small randomized trailing padding (only when safe) to change file hashes without breaking playback
This is version 1.1. Over time, privacy transforms may expand to additional file types where it’s practical and safe (without corrupting the file), while keeping the core offline workflow intact.
If you want maximum portability across devices, you can use Vortex Vault like this:
- keep your
vortex.vaultfile stored somewhere reachable (local drive, encrypted cloud storage, private server, etc.) - on any device, open the official client at vortex.mglabs.dev
- download your vault file or select your
.vaultfile - unlock it locally (decryption happens on your device, not on a server)
This is a real advantage of the “vault is a file” model: it can be as portable as cloud apps while still staying client-side encrypted.
If you’re operating in high-risk situations, offline/local usage remains the recommended approach. If you want convenience and global access, the hosted client model is viable — just treat the client code as a security-critical dependency and verify you’re loading the official domain (vortex.mglabs.dev).
Direct Share is designed to be fast, link-based, and serverless for file data.
Direct Share uses WebRTC to establish a direct encrypted channel between two browsers. You share a link (the offer), the receiver opens it and generates a reply link (the answer), and the sender applies it to start the transfer.
Direct Share benefits from two layers of encryption:
-
Transport encryption (WebRTC)
WebRTC DataChannels are encrypted in transit by the protocol itself. -
Application-layer payload encryption (Vortex Vault)
Vortex Vault additionally encrypts the transferred file bytes using:- AES-256-GCM
- PBKDF2-SHA256 key derivation
- a one-time random salt + IV per transfer
- a mutual secret derived from both users’ one-time security codes
This means even if a transfer were somehow recorded at the transport level, the file payload is still encrypted as ciphertext.
- Unlock your vault
- Select a file
- Click Direct Share
- Send the generated link to the receiver
- The receiver opens the link and sends you back a reply link
- Click the reply link, it will automatically open your browser and forward the information to your Vortex vault tab. With good network conditions, the file should then send automatically.
- Open the sender’s link
- Vortex Vault generates a reply link automatically
- Send the reply link back to the sender
- When the transfer completes:
- if your vault is already loaded and unlocked, and you opened the Direct Share menu, you can paste a link sent to you, and the file imports into your vault when transfered.
- if your vault is not already loaded and unlocked, the file downloads to your device like any other file.
- Direct Share uses STUN to help peers connect (NAT traversal).
This does not store your file on servers, but it can expose network metadata (like IP addresses) to the peer you’re connecting with, which is normal for P2P. - Direct Share intentionally does not rely on TURN relays.
This keeps the “no relay servers” posture, but very restrictive networks may fail to connect.
Vortex Vault is a pure client-side application:
- All cryptography happens locally using the browser’s WebCrypto API.
- Your vault file stays encrypted on disk.
- Decryption happens only when you unlock the vault.
- Decrypted bytes exist in memory only for active use (preview/export/share).
- When you add or remove files to your vault, click Save & log out to download a newly encrypted
vortex.vaultfile and clear the session.
No server is required to use Vortex Vault, it is possible to store and access the html file locally.
Vaults use a compact container format:
- Header with:
- magic bytes (
AVLT) - version
- PBKDF2 iteration count
- KDF salt
- encrypted index length
- index IV
- magic bytes (
- Encrypted index:
- JSON describing meta + items (names, timestamps, folder structure, record offsets)
- Encrypted records:
- each record is stored as
[IV(12) || AES-GCM(ciphertext+tag)]
- each record is stored as
Each item in the index describes either:
- a folder (no record bytes), or
- a record-backed item (file/image/video/text)
Text notes are stored as encrypted records as well, but the editor can hold pending plaintext in memory until you save.
Older vaults (v1) from the prototype phase of Vortex Vault are supported for opening. When you Save & log out, v1 vaults are upgraded and re-saved as a v2 container automatically.
Vortex Vault uses PBKDF2 (SHA-256) to derive the encryption key from your password.
- Default vault KDF iteration count is 1,000,000 (designed to slow brute-force attempts).
- Password rules are enforced when creating a new vault:
- minimum length: 12
- must include: uppercase, lowercase, number, symbol
Recommendation: use a long passphrase you can type reliably. PBKDF2 helps, but password strength still matters.
Vortex Vault can store any file type as encrypted bytes.
- Images
- Videos
- PDFs
- Audio files
- Text notes (editable)
- Images: re-encoded to PNG, metadata stripped, size normalized
- Videos: attempts adding trailing padding when safe to alter hashes without breaking playback
- Other files: stored as-is (encrypted), no transformation applied to not risk corrupting your files. In future releases, we are considering hash changes or normalization for more file types.
Vortex Vault is built to protect against:
- unauthorized access to your vault file at rest
- exposure of file names, folder structure, timestamps, sizes
- tampering or silent modification of vault contents
- server-side compromise risks (because there is no server that holds your vault data)
In other words: if someone obtains your vortex.vault file, the design is intended to keep its contents and structure private unless the password is known.
- If an attacker can run malicious code on your device while your vault is unlocked, they can potentially access decrypted content.
- If you load the client from the public internet, your security depends on the integrity of what you loaded (use the official domain, or run it locally/offline).
- Direct Share is peer-to-peer: the peer you connect to can see your connection metadata (typical for P2P). We recommend using it to send files between people you know and trust.
- This project has not yet undergone an independent security audit.
Vortex Vault is optimized for being practical inside a browser tab, but browsers have finite memory.
Notable internal guardrails:
- Pending unsaved data is capped to prevent memory blowups on typical devices.
- Direct Share receiving has a hard memory cap (to prevent “RAM nukes”).
If you intend to handle large files (over 2GB), consider splitting them or testing on the target hardware/browser.
- Ctrl/Cmd + F — Search
- Ctrl/Cmd + I — Import files
- Ctrl/Cmd + N — New text note
- Ctrl/Cmd + S — Save & log out (downloads vault + clears session)
- Esc — Close modals
You need a modern browser with:
- WebCrypto (
crypto.subtle) - Blob / File APIs
- WebRTC (for Direct Share)
Recent Chrome / Edge / Firefox / Safari should work. If WebCrypto is unavailable, the app will warn you.
This project is open source under GNU AGPL v3.0. See LICENSE for details.
Contributions are welcome — especially in areas like:
- expanding safe privacy transformations for additional file types
- improving large-file (2GB+) handling
- UX improvements that preserve the “offline-first” posture
- security review and hardening
Please keep feedback constructive and focused on real user impact.
- If you’re proposing a change, include the reason (security, performance, correctness, UX).
- Avoid style-only refactors or subjective rewrites unless they clearly improve the software.
- For larger changes, open an issue first so we can collaborate before a PR.
If you want a vault that’s easy to carry, easy to back up, and hard to analyze or tamper with, Vortex Vault is built for that exact job.