User Guide

Create a New Vault

Create a new encrypted vault and choose a strong master password. The encryption key is derived locally using Argon2id.

Linux users: when creating a new vault, make sure the file name ends with .onecritto (e.g. myvault.onecritto). On Linux the extension is not appended automatically. Without it, the file picker filter will not show the vault when you try to open it.

Open an Existing Vault

Open an existing .onecritto file. Only entry metadata (titles, credentials, SSH connections) is decrypted into memory. Encrypted files remain as blobs on disk and are decrypted on demand when you open or export them.

Saving

Password entries are saved to the vault when you click Save. Files are encrypted and stored as soon as you add them with Add.

Backup

The vault is a single file. Copy it and store it wherever you like.

Masked & Revealed Modes

Toggle visibility at any time. Copy works even when text is masked.

Memory & Clipboard Safety

Secure buffers are wiped on lock or field change. Clipboard content is automatically cleared after 20 seconds.

Add File

Files are encrypted immediately when added to the vault.

Open File

Files are decrypted into a secure temp area (~/.onecritto/temp/) and removed automatically on start or exit from the application. Furthermore files are securely wiped from disk when you click the Clean temp button (eraser icon, bottom-right of the Files tab).

Export File

Export files when you need manual control. Exported files are not encrypted. Make sure to delete them securely when no longer needed.

Manual Temp Folder Cleanup

The Clean temp button (eraser icon, bottom-right of the Files tab) lets you wipe the temp folder at any time. All temporary files are overwritten with random data before deletion (secure wipe). A confirmation message is shown when complete.

Tip: use this after viewing sensitive files, so they don't remain in clear-text on disk longer than necessary.

Note: files currently open by other applications may not be deleted. Close them first and retry.

Temp File Counter

A Files: N label next to the Clean temp button shows how many clear-text files are currently in the temp folder. The counter updates automatically when you open a file, make a ssh connection or wipe. When it reads Files: 0, no decrypted file remains on disk.

Entry Fields

Each entry contains: Title (required), URL, Username, Password, Notes and Category (Password / Note / Other). A real-time strength bar is shown while typing the password. Creation date and last-password-change date are tracked automatically.

Protected Fields

Username, password and notes fields use secure char[] memory buffers — never Java String. Buffers are wiped on lock or field change.

Password Generator

Generate strong passwords and copy them securely into fields. Two modes:

• Strong — configurable length (8–40), character sets (upper, lower, digits, symbols), option to avoid ambiguous characters (0/O, 1/l/I).
• Mnemonic — pronounceable syllable-based passwords (4–12 syllables), with optional digits and symbols.

Both modes display a real-time strength score powered by the same Sentinel engine.

Search & Categories

A global search field filters entries instantly by title, username, category and notes. Three built-in categories: Password, Note, Other.

Context Menu — Quick Copy

Right-click any row in the password table to copy the Password or Username to the system clipboard. A 20-second countdown appears in the top-left corner, changing colour as time runs out (cyan > 10 s, orange ≤ 10 s, red ≤ 5 s). When the timer expires the clipboard is cleared automatically. The copy uses the same secure char[] pattern as SecureTextField.

Health Badge

After opening your vault, a health badge appears in the toolbar showing a score from 0 to 100. The color reflects your vault's security level — from green (excellent) to red (critical action needed).

Sentinel Dashboard

Click the badge to open the full dashboard. It displays the overall health score, a colored progress bar, and six summary counters: Critical, Weak, Fair, Good, Strong, and Duplicates.

Password Scoring

Each password is evaluated on a 0–100 scale based on entropy, length, character variety, and common password detection. Leet-speak variants (e.g. p@$$w0rd), keyboard patterns, repetitions, and duplicates are penalized.

Rotation Plan

A prioritized table lists entries that need attention — from common or critically weak passwords to duplicates and passwords older than 90 days. Each row shows the entry title and the reason for rotation.

Strength Column

The password table includes a Strength column with a colored progress bar — giving you an instant visual overview. Empty password entries are shown as “Empty” and excluded from analysis.

Password Coach

Select an entry and open the Password Coach for personalised tips sorted by severity:

• Critical — common password, duplicate, found in breaches, no password set.
• Warning — keyboard pattern, repetitions, low entropy, password older than 365 days.
• Info — password age > 90 days, offline crack-time estimate, improvement suggestions.
• OK — no issues detected.

The coach also shows the numeric score, a coloured strength bar and an estimated crack time.

Real-Time Updates

Sentinel automatically re-analyzes your vault whenever you open, add, edit, or delete entries. The password generator uses the same scoring engine for full consistency.

How It Works

Breach Control queries the Have I Been Pwned database using the k-anonymity protocol. Only the first 5 characters of the SHA-1 hash are sent — your actual password never leaves your device.

Full Vault Scan

Launch a scan of every entry in your vault with a single click. A progress bar tracks the operation in real time.

Clear Results

Each entry is marked with a colored icon: safe (no breach found), exposed (with the number of known breaches), or error (network issue). A summary at the end shows the overall status of your vault.

Session Cache

Results are cached during the current session to avoid repeated network requests when you re-scan.

Prerequisite

Before creating an SSH connection, add your private SSH key (e.g. id_rsa, id_ed25519 or a .pem file) as an encrypted file in the vault via File → Add.

Create a Connection

Open the SSH tab and click Add. Fill in: Connection name, Host, Port (default 22), Username, and select the SSH Key from the drop-down (lists keys already stored in the vault). A live preview shows the SSH command that will be executed. Click Save.

Edit or Delete

Double-click a row or use the Edit button to modify a connection. Use Delete to remove it (with confirmation).

Connect

Select a connection and click Connect. OneCritto automatically: decrypts the private key into a protected temporary file, sets restrictive file permissions (required by SSH), opens your system terminal with the full SSH command, and starts the session. The terminal launches ready to use.

Security

The private key is decrypted only at connection time into ~/.onecritto/temp/. The temporary file is overwritten with random data and deleted when OneCritto closes or opens, or when the Wipe temp button is pressed (secure delete). The key is never stored in plaintext permanently. SSH connections are saved inside the .onecritto vault, protected by the same AES-256-GCM encryption and Argon2id key derivation.

Automatic Recognition & Smart Matching

OneCritto recognizes CSV exports from 10 platforms: Chrome / Edge, Firefox, Safari, Bitwarden, KeePass, LastPass, 1Password, Dashlane, NordPass and Proton Pass. Fields are mapped automatically with high confidence.

For unknown formats, a 3-level algorithm identifies columns via synonym matching, Jaro-Winkler similarity and heuristic value analysis (URLs, emails, high-entropy strings).

Preview & Control

A two-panel preview shows the proposed column mapping with confidence indicators and the list of entries ready for import. Every column can be reassigned manually; each entry can be included or excluded individually. The preview updates in real time.

How to Use

1. Export passwords from your current manager in CSV format.
2. Click Import in the OneCritto toolbar.
3. Select the file — the source is detected automatically.
4. Verify the mapping and choose which entries to import.
5. Click Import — done.

The CSV is processed entirely on your device. After import, Sentinel evaluates every new password and updates the Vault Health Score. Imported entries are encrypted with AES-256-GCM / Argon2id like all others.