Vault
Vaults are encrypted containers for storing files that require protection. Any file can be vaulted, but Tier 1 (RESTRICTED) files are the primary use case. fialr selects a platform-native encryption backend by default — no additional install required on macOS, one command on Linux. Both backends are password-only and neither requires a third-party kernel extension.
Backends
Section titled “Backends”| Backend | Install | Platforms | Model | Best for |
|---|---|---|---|---|
| APFS | None required | macOS only | Encrypted sparse bundle (mountable) | macOS users — zero install, iCloud-compatible |
| age | brew install age or apt install age | macOS, Linux | Per-file encryption (directory of encrypted files) | Linux default — minimal, well-audited; portable archives |
When no --backend is specified, fialr selects the platform default:
| Platform | Default | Reason |
|---|---|---|
| macOS | apfs | Native encrypted sparse bundle, zero install, iCloud-compatible, no third-party kernel extension |
| Linux | age | One-command install, minimal, well-audited |
Creating a vault
Section titled “Creating a vault”On macOS the default creates an APFS vault; on Linux the default creates an age vault.
# macOS default — APFS encrypted sparse bundlefialr vault create ~/secure-vault --size 1G
# Linux default — age per-file encryption (no --size needed)fialr vault create ~/secure-vault --backend age
# Explicit backend selectionfialr vault create ~/vault.sparsebundle --backend apfs --size 1Gfialr vault create ~/vault-age --backend ageYou will be prompted for a password interactively. Passwords are never accepted as command-line arguments.
The --size flag sets the APFS container capacity. It is ignored by age, which uses a directory that grows with its contents.
Opening and closing
Section titled “Opening and closing”APFS vaults are mountable volumes. Opening makes the contents accessible at a temporary mount point; closing dismounts and locks the volume.
# Open (mount) a vaultfialr vault open ~/secure-vault
# Check statusfialr vault status ~/secure-vault
# Close (dismount) when donefialr vault close ~/secure-vaultMount points are temporary directories with 0700 permissions. The mount path is displayed when the vault opens.
age vaults are directories of individually encrypted files. Opening an age vault is a no-op (the directory is always accessible). Individual files are decrypted on demand during archive and rehydrate. The passphrase is delivered to age through a pseudo-terminal, so these operations run non-interactively without ever placing it on the command line.
Archiving and rehydrating
Section titled “Archiving and rehydrating”Both backends support the same archive/rehydrate workflow. Files are copied into the vault with integrity verification — the original is not removed.
Dry-run is the default. Without --execute, archive and rehydrate only report what would happen — no mount, no encryption, no writes. Add --execute to apply.
# Preview (dry-run, the default)fialr vault archive ~/secure-vault ~/Documents/tax-return-2024.pdf
# Archive for realfialr vault archive ~/secure-vault ~/Documents/tax-return-2024.pdf --execute
# List vault contentsfialr vault list ~/secure-vault
# Restore a file by content hashfialr vault rehydrate ~/secure-vault a1b2c3d4... --dest ~/restored/ --executeArchive and rehydrate operations are logged to the SQLite audit ledger. File integrity is verified via BLAKE3 hash before and after every operation.
For the age backend, the original filename is encrypted inside each {hash}.age blob, so a restored file comes back under its original name while the on-disk artifact name (the content hash) leaks nothing. vault list for an age vault therefore shows hashes only.
Workflow with Tier 1 files
Section titled “Workflow with Tier 1 files”The typical workflow for Tier 1 files:
- Scan and classify to identify Tier 1 files
- Create a vault for secure storage
- Archive files directly into the vault (integrity-verified)
- Rehydrate when you need to access them again
# Identify restricted files (scan includes classification)fialr scan ~/Documents
# Create a vault (uses platform default backend)fialr vault create ~/secure-vault --size 1G
# Archive Tier 1 files (preview first, then --execute)fialr vault archive ~/secure-vault ~/Documents/tax-return-2024.pdf --executefialr vault archive ~/secure-vault ~/Documents/passport-scan.pdf --execute
# Later — restore a file when neededfialr vault rehydrate ~/secure-vault a1b2c3d4... --dest ~/restored/ --executePassword and key management
Section titled “Password and key management”Both backends are password-only; fialr does not use keyfiles or hardware tokens for the vault. Neither backend supports in-place password change through fialr: APFS password changes go through Disk Utility, and age vaults are re-encrypted with a new passphrase. Choose a strong password — vault encryption strength is delegated to the backend (APFS AES-256 / age).
Security considerations
Section titled “Security considerations”- The password reaches the backend via stdin (APFS
-stdinpass) or a pseudo-terminal (age-p) — never as a CLI argument visible in process listings - Mount points are created with
0700permissions (owner-only access); APFS attaches with-nobrowse - File integrity is verified via BLAKE3 hash before and after archive/rehydrate operations
- All vault containers use standard formats (APFS sparse bundle, age encrypted files) — no proprietary format and no third-party kernel extension
See also
Section titled “See also”- vault CLI reference — full command documentation
- Sensitivity Tiers — tier classification system
- Licensing — vault requires a license