VaultLock is a comprehensive demonstration of Operating System-level data protection, advanced cryptographic security, and real-time safe communication. This system ensures that sensitive files are encrypted, stored securely, and completely scrubbed upon deletion. It enforces strong memory-level zero-knowledge operations where plain data never touches the disk.
The project has evolved from Phase 1 (Encryption only) to a fully-featured secure workspace encompassing Secure File Drive, an End-to-End Chat system, and a robust Password / Secrets Vault.
flowchart TD
Client[Client App / Next.js] -->|HTTP / WS| Router[Express API Router]
subgraph Backend_Process[Node.js Backend Process]
Router --> Auth{JWT Auth}
Auth -->|Valid| WSS[WebSocket Chat Server]
Auth -->|Valid| Vault[Key Vault Controller]
Auth -->|Valid| Guard[FileGuard Scanner]
Guard -->|Magic Bytes OK| Crypto[AES-256-CBC In-Memory]
Crypto -->|Encrypted Output| Storage[(OS File System <br> 0600 Isolation)]
Vault --> DB[(SQLite Database)]
WSS .-> DB
end
style Client fill:#2563eb,stroke:#fff,color:#fff
style Crypto fill:#9333ea,stroke:#fff,color:#fff
style Storage fill:#dc2626,stroke:#fff,color:#fff
style DB fill:#16a34a,stroke:#fff,color:#fff
- AES-256-CBC Encryption: In-memory streaming encryption utilizing Node's built-in
cryptoAPIs. - Zero-Knowledge Architecture: Plaintext is never written to disk. The server never persists your keys; decryption keys are single-use or handled client-side/via memory.
- Data Integrity: SHA-256 digesting to guarantee files haven't been tampered with or corrupted on disk.
- Secure File Deletion: 3-pass overwrite mechanism (Random → Zero → Random) with hardware
fsync()flushing before OS unlinking, protecting against basic data recovery.
- Magic-Byte Defense: Multi-tier file validation mechanism that identifies internal structure, completely blocking arbitrary executables (PE, ELF, Mach-O) even if extensions are spoofed.
- OS-Level Isolation: Hardened file access. Encrypted files are stored on disk with
0600permissions inside per-user0700directories.
- WebSocket E2EE-Ready Chat: Private real-time messaging verified via JSON Web Tokens middleware.
- Personal Key Vault: Secure repository within the SQLite Database holding AES-256 encrypted labels, tokens, or plaintext credentials.
- Centralized Audit Logging: A chronological
audit.log(JSON-lines) records authentication lifecycles, unauthorized access attempts, and encryptions/decryptions. - Rate Limiting: Defends global API boundaries and throttles heavy cryptographic procedures (IP-based limits).
- Backend: Node.js, Express,
node:sqlite(synchronous built-in db),jsonwebtoken, WebSockets (ws). - Frontend V1: Vanilla HTML, CSS, JS workspace.
- Frontend V2 (Next.js): Modern responsive React frontend built with Next.js, Framer Motion, and TailwindCSS (in
frontend-next/).
| Principle | Implementation in VaultLock |
|---|---|
| Secure I/O | Direct memory processing of streams before storage. |
| Process Isolation | API isolated in a Node process using JWT authorization. |
| Memory Protection | Keys and payload live temporarily in RAM; garbage collected post-request. |
| File System Security | 0600 mapping strictly limits file descriptor visibility to the server owner. |
| Least Privilege | Unauthorised reads are blocked at route-middleware, before touching IO layers. |
- Node.js v20+ or v22/v25 (Requires
node:sqlitefeature). - NPM or PNPM
-
Clone & Setup Environment
git clone <repo_url> cd os_project/backend cp .env.example .env
-
Start Backend Server
cd backend npm install npm start -
Start Frontend (Next.js)
cd frontend-next npm install npm run dev
(Alternatively, for testing Phase 1/V1, you can run a Python HTTP Server in the frontend/ directory).
POST /auth/register: Create a secure context userPOST /auth/login: Issue JWT bearer tokensPOST /encrypt: Encrypt inboundmultipart/form-dataand retain in drive.POST /decrypt: Return original bytes of a provided.encobject.POST /secure-delete: Overwrite and unlink encrypted blobs from the system.WS /: WebSocket upgrade point.
- End-to-End Encryption (E2EE): Pushing AES-GCM encryption completely to the browser/client in
frontend-next. - Chunking for Large Files: Replacing bounded buffers with generic Streams for >500MB capabilities.
- Hardware Key Modules: FIDO2 proxy routing.
VaultLock is an ongoing demonstration of theoretical OS design scaled into a practical Node.js environment.