A desktop security vault built on a strict offline-first threat model.

IT Consultants & MSPs

Client server credentials, SSH keys and API tokens in one encrypted file. Stop juggling .txt files and shared cloud notes. One breach across multiple customers ends a consultancy.

Small Law Firms

Attorney-client privilege starts with where credentials live. Cloud password managers create discoverable third-party records and BAA-style obligations you don't need.

Healthcare Practitioners

HIPAA-aligned local storage for portal logins and patient-system credentials. No third-party processor, no business associate agreement, no transmitted PHI.

Solopreneurs & Freelancers

One vault for every client's secrets, on the only device that needs them. No subscription. No vendor lock-in. No surprise price hike on renewal day.

Cloud vendor breach

LastPass 2022. Okta. Take your pick.
No server. No vendor. Nothing to breach remotely. The vault is a file on your disk.

Browser extension supply chain

No extension. No autofill injected into untrusted pages. The browser is treated as a hostile environment, not a trusted endpoint.

Mobile OS compromise

No mobile app. Your phone is not a trusted credential endpoint for client secrets, and we won't pretend otherwise.

Legal compulsion (subpoena, CLOUD Act)

Your vault is a local file on hardware you own. No third party can be served and silently hand it over.

Telemetry leakage

Zero outbound network calls in normal operation. Verifiable in the source. The only optional network call is Have I Been Pwned, via k-anonymity (only a 5-char hash prefix leaves the device).

Memory scraping

Master keys held in char[], wiped on lock. Auto-lock after 3 minutes of inactivity. Sensitive fields use a hardened SecureTextField.

Clipboard sniffing

Clipboard auto-cleared after 20 seconds. Reveal countdowns on every sensitive field.

Temp-file forensics

Decrypted attachments live in a protected temp folder and are secure-wiped (random overwrite) before deletion.

AES-256-GCM + Argon2id

Every record encrypted with unique IV and salt. Master key derived via Argon2id. Authenticated encryption with HMAC-SHA256 integrity.

One Vault, Everything Protected

Passwords, files, notes and SSH connections in a single portable .onecritto file. Copy it, back it up, carry it anywhere.

Sentinel — Security Engine

Scores every password 0–100, flags weak, common and duplicate credentials, builds a prioritised rotation plan, and coaches you with per-entry tips sorted by severity. Includes a strong (8–40 chars) and mnemonic password generator.

Breach Control

Checks passwords against Have I Been Pwned via k-anonymity. Your passwords never leave the device.

Encrypted File Storage

Store any file inside the vault — IDs, certificates, private keys, contracts. Each file is encrypted with AES-256-GCM streaming, never fully loaded in RAM. Open, export or secure-wipe with one click.

100 % Offline, Zero Cloud

No sync, no telemetry. Clipboard auto-cleared after 20 s, session locks after 3 min.

SSH Connection Manager

Store encrypted SSH keys, configure connections and launch sessions with one click. Keys are securely wiped on exit.

CSV Import

Import from 10 managers (Chrome, Firefox, Bitwarden, KeePass, LastPass, 1Password, Dashlane, NordPass, Proton Pass, Safari) with smart field mapping.

CSV Export

Export selected entries to a UTF-8 CSV (name,url,username,password,note) via a checkbox picker. Round-trip compatible with the import flow.

Note: the file contains plain-text credentials — store it safely and delete it when no longer needed.

Secure Temp Cleanup

One-click wipe of decrypted temp files. Every file is overwritten with random data before deletion (secure wipe).

Compatibility

Windows 11 and Linux. 64-bit CPU, 8 GB RAM, 200 MB free storage.