Security
Security overview
Last updated: 4 July 2026
Design philosophy
Fortiva is a zero-knowledge, local-first password manager for Windows. Credentials are encrypted in a
vault.fva file on disk you control. There is no cloud sync, no telemetry, and no always-on
background service. The optional Fortiva Autofill browser extension talks only to your local Fortiva app -
never to the internet.
Cryptography & vault format
- Symmetric encryption: AES-256-GCM via Windows CNG
- Key derivation: Argon2id (Personal: 64 MB memory, 3 iterations, 4 lanes)
- Key hierarchy: Master password → Argon2id → Master Key (MK) → AES-GCM wraps Vault Key (VK) → entries and integrity log
- At rest: Vault key wrapped by MK; local metadata protected with DPAPI (
local.state) - Header integrity: MAC-protected header with monotonic revision counter for rollback detection
- Snapshots: Five rolling encrypted snapshots (
vault.fva.snapshot1…snapshot5) after each atomic save - Write protocol: Temp file → flush → atomic replace → snapshot rotation
Windows Hello
Windows Hello unlock uses a DPAPI- or TPM-wrapped key protector - never your master password on disk. The master password remains the recovery root. Hello verification is gated before protector use.
Browser bridge (Fortiva Autofill)
The Chrome and Edge extension uses manual Fill only - credentials are never injected on page load.
When Fortiva is running and unlocked, the extension prefers loopback HTTP on 127.0.0.1:7847
with token authentication. If HTTP is unavailable, it falls back to a one-shot native messaging host that
exits after each request.
- Locked vault returns
vault_lockedimmediately - no browser unlock - Registrable-domain match for listing; exact hostname required for password release
- Single-use fill nonce; tab re-validated when you click Fill
- Session tokens issued only when the request includes the extension
Originheader - Session token held in memory only while the vault is unlocked
- Native pipe validates client PID and path (
Fortiva.BrowserBridge.Host.exeunder install root)
Runtime protections
- Paranoia mode: Detects vault rollback via revision counter and DPAPI state; suspicious downgrade opens read-only until confirmed in Settings
- Panic lock: Instantly hides the window and scrubs in-memory secrets
- Auto-lock & clipboard: Configurable idle lock; clipboard auto-clear after copy
- Memory: Secure zeroing of cryptographic material on lock
- Security audit export: JSON and HTML reports contain findings only - never secrets
Updates
Fortiva checks GitHub Releases for updates over HTTPS - on launch (at most once every 24 hours)
and when you choose Settings → Check for updates. The installer SHA-256 hash from
latest.personal.json is verified before launch; vault data in %AppData%\Fortiva\
is preserved across silent upgrades. You can disable automatic checks in Settings → Updates.
Integrity does not depend on Authenticode code signing for Personal builds.
Installers are not Authenticode-signed yet. Windows SmartScreen may warn on first run - verify the SHA-256 on GitHub Releases, then choose More info → Run anyway if you trust the match.
Explicit non-goals
Fortiva does not provide cloud sync, telemetry, or always-on background services. Protection against kernel-level malware or live memory scraping of an unlocked vault is out of scope. Passkeys / WebAuthn are not implemented - do not expect passkey support.
Residual risks
- Local malware while unlocked: Same-user malware on an unlocked PC could attempt bridge fills - lock Fortiva when you step away.
- Memory while unlocked: Industry-standard password-manager ceiling; secrets exist in memory until lock.
Downloads
Installers are published via GitHub Releases. Verify publisher and SHA-256 checksums before installing. Full technical documentation is available in the Fortiva repository.
Security contact file
Our machine-readable security contact is published at /.well-known/security.txt per RFC 9116.
Responsible disclosure
If you discover a security vulnerability in Fortiva or this website, please report it responsibly. Preferred channel: GitHub Security Advisories. You may also email info@icmclab.cloud. Include steps to reproduce and impact assessment. We aim to acknowledge reports within 5 business days.
Please do not test against production systems without prior written authorization.