Skip to Content
Secrets VaultMaster Password

Zero-Knowledge Protection

Your master password is the primary way to decrypt the secrets vault. localWiki never stores your password — not on disk, not in memory after lock, and not on any server. This is zero-knowledge architecture.

Recovery Phrase

During vault setup, localWiki generates a 12-word BIP-39 recovery phrase. This phrase is shown once and must be written down. It can be used to unlock your vault and reset your password if you ever get locked out.

After setup, you can manage your recovery phrase in Settings > Security:

  • Set up recovery phrase — generate a new phrase if you skipped setup or need a replacement.
  • Verify recovery phrase — confirm your written copy matches by typing it back in.

On the unlock screen, click “forgot password? recover with phrase” to enter recovery mode.

Write down your recovery phrase and store it somewhere physically secure. If you lose both your password and your recovery phrase, your vault cannot be recovered.

How Argon2id Works

When you set your master password, localWiki derives an encryption key using Argon2id, a memory-hard key derivation function designed to resist brute-force attacks:

Master Password + Random Salt
        |
        v
   Argon2id (19 MiB memory, 2 iterations, 1 lane)
        |
        v
   256-bit Encryption Key -> AES-256-GCM

These are OWASP-recommended minimum parameters for Argon2id. The configuration makes offline brute-force attacks impractical even if an attacker obtains your encrypted vault file.

Password Requirements

  • Minimum 8 characters.
  • You must confirm the password by typing it twice during setup.

Setting Your Master Password

The first time you open localWiki, the vault door prompts you to create a master password. After entering and confirming it, localWiki generates your recovery phrase and asks you to write it down before proceeding.

Changing Your Password

Go to Settings > Security > Vault password and click Change password. You will need to enter your current password, then the new one (minimum 8 characters), and confirm it. localWiki re-encrypts the vault with a new derived key.

Rate Limiting

If you enter the wrong password too many times, localWiki rate-limits unlock attempts. A countdown timer shows how long you need to wait before trying again.

Auto-Lock

The vault locks automatically after a period of inactivity. When auto-locked, the unlock screen shows an “auto-locked after inactivity” message. You can also lock manually at any time.

Encryption Summary

The Settings > Security > Encryption section displays the active cryptographic configuration:

ParameterValue
EncryptionAES-256-GCM
Key DerivationArgon2id
RecoveryBIP-39 (12 words)
Last updated on
Adding SecretsInstallation