User Guide

Welcome to OneCritto

A secure, offline-first encrypted vault for passwords, files and private notes.

OneCritto stores all your sensitive data locally inside an encrypted vault. Encryption uses AES-256-GCM with a master key derived via Argon2id. No cloud, no accounts, no telemetry.

Installation & Activation

Download the trial version and activate it using the built-in mini-installer.

Download

Download the Trial version from the official website. The same package is used for both trial and full licenses. No system installation is required.

Mini-Installer

At first launch, OneCritto starts a small activation wizard. You can activate either a Trial or a Full license by entering your onecritto-license.lic received during the activation procosess online.

License

Licenses are bound to your device via a Hardware-ID. No online validation is required after activation.

1. Vault Management

Your encrypted workspace is stored in a single .onecritto file.

Create a New Vault

Create a new encrypted vault and choose a strong master password. The encryption key is derived locally using Argon2id.

Open Existing Vault

Open an existing .onecritto file. All decryption happens only in memory.

Manual Saving

OneCritto does not use automatic saving. Changes are written to disk only when you explicitly save, giving you full control and preventing unintended writes.

Backup

The vault is a single file. You can copy and back it up anywhere you prefer.

2. Secure Fields

Sensitive data is never stored in standard UI components.

Masked & Revealed Modes

Toggle visibility at any time. Copy works even when text is masked.

Memory & Clipboard Safety

Secure buffers are wiped on lock or field change. Clipboard content is automatically cleared after 20 seconds.

3. Encrypted Files

Store and manage files securely inside the vault.

Add Files

Files are encrypted immediately when added to the vault.

Open Files

Files are decrypted into a secure temporary workspace and removed automatically on exit.

Export Files

Export files if you need manual control. Exported files are not encrypted.

4. Secure Notes

Encrypted notes with fast search.

Encrypted Editor

Notes support long content and in-vault search. No plaintext is ever written to disk.

5. Password Entries

Securely manage credentials and logins.

Secure Fields

Username and password fields use protected memory.

Password Generator

Generate strong passwords and copy them safely into the field.

Search & Categories

Organize entries and locate them instantly.

6. Sentinel — Vault Health Monitor

Introduced in version 2.2.0, Sentinel is the built-in security engine that continuously analyzes the health of your vault.

Health Badge

After opening your vault, a health badge appears in the toolbar showing a score from 0 to 100. The color reflects your vault's security level — from green (excellent) to red (critical action needed).

Sentinel Dashboard

Click the badge to open the full dashboard. It displays the overall health score, a colored progress bar, and six summary counters: Critical, Weak, Fair, Good, Strong, and Duplicates.

Password Scoring

Each password is evaluated on a 0–100 scale based on entropy, length, character variety, and common password detection. Leet-speak variants (e.g. p@$$w0rd), keyboard patterns, repetitions, and duplicates are penalized.

Rotation Plan

A prioritized table lists entries that need attention — from common or critically weak passwords to duplicates and passwords older than 90 days. Each row shows the entry title and the reason for rotation.

Strength Column

The password table includes a Strength column with a colored progress bar — giving you an instant visual overview. Empty password entries are shown as "Empty" and excluded from analysis.

Real-Time Updates

Sentinel automatically re-analyzes your vault whenever you open, add, edit, or delete entries. The password generator uses the same scoring engine for full consistency.

7. Security Model

Core security principles.

Encryption

  • AES-256-GCM
  • Argon2id key derivation
  • Per-record IVs and salts
  • Authenticated encryption

Local-Only

  • No cloud sync
  • No accounts
  • No telemetry

Runtime Protections

  • Secure memory buffers
  • Clipboard auto-clear
  • Temporary file wiping

Automatic Session Lock

Locks after 3 minutes of inactivity. Use CTRL + L to lock manually.