NovaBash holds the keys your projects run on, so it owes you a straight answer about how that works. Here is what protects them, where the limits are, and where to send a security report.
Every key is encrypted with AES-256-GCM using the Web Crypto API, with a key derived from your passphrase via PBKDF2 (310,000 iterations). There is no NovaBash server, so there is nothing of yours sitting on our side to breach.
Your passphrase is never stored and never transmitted. The derived key lives in memory for the session and is gone when you lock or close the tab. There is no reset link, because there is no us to reset it. If you forget the passphrase, your 24-word recovery phrase is the way back in. Lose both and the vault is unrecoverable, which is the point.
The encrypted vault lives in this browser via IndexedDB. Export it as a single encrypted file whenever you want a backup or a move to another machine. Clearing this site's data erases the local copy, so keep an export somewhere safe.
Every change appends an entry to a hash-chained log inside the vault. Each entry hashes the previous one, so editing history breaks the chain. Hit verify and you can prove your own history was not quietly altered. It is local, like everything else.
The real risk for any client-side vault is cross-site scripting, which could read decrypted secrets while the vault is unlocked. We ship a strict Content-Security-Policy, set no cookies, run no analytics, and load no third-party scripts to shrink that surface. It is a strong convenience vault, not a hardware security module. A local command-line mode that keeps the vault out of the browser entirely is on the roadmap.
Found a security issue? Open an issue on github.com/aperintel/novabash, or email enquiries@aperintel.com. Please include reproduction steps and never include real secrets or live keys. We acknowledge quickly and credit reporters when a fix ships.
Or open an issue on the public repository. Include reproduction steps and leave real secrets out of the report. We acknowledge quickly and aim for a mitigation within a few working days for anything material.