Security

Oak Keyring's public security boundary starts with a local encrypted vault and keeps sync storage outside the vault-key trust boundary.

Local vault ownership

The master password and vault key lifecycle stay local to the app workflow. The public preview should not be described as audited or production hardened, but its design goal is clear: plaintext secrets should not be handed to a remote storage provider.

Encrypted sync boundary

Google Drive is transport and backup for encrypted sync data. It is not the authority that should be able to read vault contents or recover the vault key.

Recovery expectations

Recovery is part of the same security model. Losing a device or restoring from synchronized data should not quietly change who controls the vault.

Public limits

Oak Keyring does not currently claim a stable release, public third-party audit, notarized binary, or complete public implementation review.

Report vulnerabilities through GitHub Security Advisories or by emailing alphaqiu@gmail.com.