Security

Security overview

Design philosophy

Fortiva is a zero-knowledge, local-first password manager for Windows. Credentials are encrypted in a vault.fva file on disk you control. There is no cloud sync, no telemetry, and no always-on background service. The optional Fortiva Autofill browser extension talks only to your local Fortiva app - never to the internet.

Cryptography & vault format

Windows Hello

Windows Hello unlock uses a DPAPI- or TPM-wrapped key protector - never your master password on disk. The master password remains the recovery root. Hello verification is gated before protector use.

Browser bridge (Fortiva Autofill)

The Chrome and Edge extension uses manual Fill only - credentials are never injected on page load. When Fortiva is running and unlocked, the extension prefers loopback HTTP on 127.0.0.1:7847 with token authentication. If HTTP is unavailable, it falls back to a one-shot native messaging host that exits after each request.

Runtime protections

Updates

Fortiva checks GitHub Releases for updates over HTTPS - on launch (at most once every 24 hours) and when you choose Settings → Check for updates. The installer SHA-256 hash from latest.personal.json is verified before launch; vault data in %AppData%\Fortiva\ is preserved across silent upgrades. You can disable automatic checks in Settings → Updates. Integrity does not depend on Authenticode code signing for Personal builds.

Installers are not Authenticode-signed yet. Windows SmartScreen may warn on first run - verify the SHA-256 on GitHub Releases, then choose More info → Run anyway if you trust the match.

Explicit non-goals

Fortiva does not provide cloud sync, telemetry, or always-on background services. Protection against kernel-level malware or live memory scraping of an unlocked vault is out of scope. Passkeys / WebAuthn are not implemented - do not expect passkey support.

Residual risks

Downloads

Installers are published via GitHub Releases. Verify publisher and SHA-256 checksums before installing. Full technical documentation is available in the Fortiva repository.

Security contact file

Our machine-readable security contact is published at /.well-known/security.txt per RFC 9116.

Responsible disclosure

If you discover a security vulnerability in Fortiva or this website, please report it responsibly. Preferred channel: GitHub Security Advisories. You may also email info@icmclab.cloud. Include steps to reproduce and impact assessment. We aim to acknowledge reports within 5 business days.

Please do not test against production systems without prior written authorization.