If you discover a security vulnerability within this project, please report it to us by opening a GitHub security advisory or emailing the maintainers.

Every cloudstic binary released via GitHub is signed using GitHub Attestations. This allows you to verify that the binary was built by GitHub Actions from a specific, auditable commit in this repository.

To verify a downloaded binary, ensure you have the GitHub CLI installed, then run:

gh attestation verify ./cloudstic --repo cloudstic/cli

The output will confirm if the binary is authentic and provide the specific git commit it was built from.

Cloudstic uses industry-standard encryption to protect your data:

• AES-256-GCM for data at rest.
• BIP39 for recovery key generation.
• Argon2id for password-based key derivation.

All encryption is performed locally on your machine. Your master encryption keys never leave your device.