vault
Installation
SKILL.md
confide:vault — the THREE LOCKS for storing RED data
Operationalizes the defense-in-depth storage posture in
confide/docs/THREE-LOCKS.md: real (RED) transcripts rest behind three independent
locks, so compromising one does not expose a client. To read a real transcript an
attacker needs the device password AND the encrypted-store password AND the
age key — three separate secrets, ideally held in different places.
| Lock | What | Protects against |
|---|---|---|
| 1 — Device | FileVault full-disk encryption + strong login password + short auto-lock | a lost/stolen/USB-booted machine |
| 2 — Store | RED in a dedicated ENCRYPTED store (encrypted APFS volume / AES-256 .dmg), NOT in Documents and NEVER in iCloud/Dropbox |
other apps, other users, silent cloud sync |
| 3 — Per-file | each RED file sops/age-encrypted at rest, age key stored SEPARATELY; processing in a no-network VM/container |
files individually sealed; key not beside the data |