Vault

Vaults are encrypted containers for storing files that require protection. Any file can be vaulted, but Tier 1 (RESTRICTED) files are the primary use case. fialr selects a platform-native encryption backend by default — no additional install required on macOS, one command on Linux.

Backends

Backend	Install	Platforms	Model	Best for
APFS	None required	macOS only	Encrypted sparse bundle (mountable)	macOS users — zero install, iCloud-compatible
age	`brew install age` or `apt install age`	macOS, Linux	Per-file encryption (directory of encrypted files)	Linux default — minimal, well-audited
VeraCrypt	veracrypt.fr	macOS, Linux	Fixed-size encrypted volume (mountable)	Portable containers, cross-platform volumes

When no --backend is specified, fialr selects the platform default:

Platform	Default	Reason
macOS	`apfs`	Native encrypted sparse bundle, zero install, iCloud-compatible
Linux	`age`	One-command install, minimal, well-audited

Creating a vault

The create command varies by backend. On macOS, the default creates an APFS vault with no extra flags. On Linux, the default creates an age vault.

# macOS default — APFS encrypted sparse bundle
fialr vault create ~/secure-vault --size 1G

# Linux default — age per-file encryption (no --size needed)
fialr vault create ~/secure-vault --backend age

# Explicit backend selection
fialr vault create ~/vault.sparsebundle --backend apfs --size 1G
fialr vault create ~/vault-age --backend age
fialr vault create ~/vault.hc --backend veracrypt --size 1G

You will be prompted for a password interactively. Passwords are never accepted as command-line arguments.

The --size flag sets the maximum vault capacity. It is required for APFS and VeraCrypt (fixed-size containers) but ignored by age (which uses a directory and grows with its contents).

Opening and closing

APFS and VeraCrypt vaults are mountable volumes. Opening makes the contents accessible at a temporary mount point. Closing dismounts and locks the volume.

# Open (mount) a vault
fialr vault open ~/vault.sparsebundle

# Check status
fialr vault status ~/vault.sparsebundle

# Close (dismount) when done
fialr vault close ~/vault.sparsebundle

Mount points are temporary directories with 0700 permissions. The mount path is displayed when the vault opens.

age vaults are directories of individually encrypted files. Opening an age vault is a no-op (the directory is always accessible). Individual files are decrypted on demand during archive and rehydrate operations.

Archiving and rehydrating

All three backends support the same archive/rehydrate workflow. Files are copied into the vault with integrity verification — the original is not removed.

# Archive files into the vault
fialr vault archive ~/secure-vault ~/Documents/tax-return-2024.pdf
fialr vault archive ~/secure-vault ~/Documents/passport-scan.pdf

# List vault contents
fialr vault list ~/secure-vault

# Restore a file by content hash
fialr vault rehydrate ~/secure-vault --hash a1b2c3d4...

Archive and rehydrate operations are logged to the SQLite audit ledger. File integrity is verified via BLAKE3 hash before and after every operation.

Workflow with Tier 1 files

The typical workflow for Tier 1 files:

Scan and classify to identify Tier 1 files
Create a vault for secure storage
Archive files directly into the vault (integrity-verified)
Rehydrate when you need to access them again

# Identify restricted files (scan includes classification)
fialr scan ~/Documents

# Create a vault (uses platform default backend)
fialr vault create ~/secure-vault --size 1G

# Archive Tier 1 files
fialr vault archive ~/secure-vault ~/Documents/tax-return-2024.pdf
fialr vault archive ~/secure-vault ~/Documents/passport-scan.pdf

# Later — restore a file when needed
fialr vault rehydrate ~/secure-vault --hash a1b2c3d4...

VeraCrypt options

VeraCrypt vaults support additional configuration not available to APFS or age backends.

Encryption and key derivation

fialr vault create ~/vault.hc \
  --backend veracrypt \
  --encryption serpent \
  --hash whirlpool \
  --pim 15 \
  --filesystem ext4 \
  --size 2G

Available encryption algorithms: aes (default), serpent, twofish, aes-twofish, aes-twofish-serpent.

Available KDF hashes: sha-512 (default), sha-256, whirlpool, blake2s-256, streebog.

The PIM (Personal Iterations Multiplier) increases key derivation iterations. Higher values are slower but more resistant to brute-force attacks.

Keyfiles

Keyfiles add a second factor to vault access. A keyfile is a file whose contents serve as additional key material alongside the password. Keyfiles are VeraCrypt only — APFS vaults use disk passwords and age vaults use passphrases.

# Generate a keyfile (64-byte cryptographically random, 0600 permissions)
fialr vault generate-keyfile ~/keys/vault.key

# Create vault with keyfile
fialr vault create ~/vault.hc --backend veracrypt --keyfile ~/keys/vault.key --size 1G

# Open vault with keyfile
fialr vault open ~/vault.hc --keyfile ~/keys/vault.key

Store keyfiles on a separate device (USB drive, hardware token) for maximum security. Losing the keyfile means losing access to the vault.

Password change

VeraCrypt is the only backend that supports password changes through fialr. APFS password changes go through Disk Utility. age vaults must be re-encrypted with a new passphrase.

Cross-platform portability

A VeraCrypt vault created on macOS can be opened on Linux (and vice versa) if the filesystem is exfat. This makes VeraCrypt the best choice for users who need to move encrypted archives between machines. VeraCrypt requires a manual download from veracrypt.fr.

Security considerations

Passwords are passed to encryption backends via stdin pipe, never as CLI arguments (not visible in process listings)
Mount points are created with 0700 permissions (owner-only access)
Keyfiles are created with 0600 permissions
File integrity is verified via BLAKE3 hash before and after archive/rehydrate operations
All vault containers use standard formats (APFS sparse bundle, age encrypted files, VeraCrypt volume) — no proprietary format