This repository covers:
- the Windows desktop application
- the standalone CLI package
- the shared Python/Rust archive core
- Avikal client-side Aavrit integration
The Aavrit server implementation is a separate project and is not covered by this repository.
Security fixes target:
- the current default branch
- the latest published desktop release, if available
- the latest published CLI release, if available
Older snapshots may not receive backported fixes.
Protected .avk archives use:
- AES-256-GCM for authenticated encryption
- Argon2id for password and keyphrase hardening
- HKDF-based key separation
- native Rust-backed crypto for production paths
- strict container validation before deeper decode work
- path traversal defenses during extraction
- bounded decompression and payload streaming checks
Newer protected archives use a random payload data-encryption key wrapped through protected metadata. This allows supported rekey operations without rewriting the encrypted payload stream.
Avikal supports:
- password-only protection
- 21-word Hindi keyphrase protection
- password and keyphrase together
Passwords and keyphrases are not intentionally persisted. They still exist temporarily in UI/runtime memory while an operation is active. Avikal does not claim protection against a compromised endpoint, keylogger, debugger, or memory-scraping malware.
Optional PQC protection uses OpenSSL-backed primitives, including:
- ML-KEM-1024
- X25519
- ML-DSA-87
- SLH-DSA-SHA2-256s
External .avkkey files can optionally be protected by an additional keyfile password. Embedded PQC behavior remains separate.
Avikal supports TimeCapsule workflows through:
- drand for public time-based release
- Aavrit for signed authority-based release
TimeCapsule protection depends on network availability and the integrity of the selected release authority. Aavrit-backed workflows additionally depend on the correct operation and trustworthiness of the Aavrit deployment.
The desktop app uses:
- Electron renderer
- Electron IPC
- Electron main process
- Avikal core process over JSON-RPC/stdin-stdout
- shared Python orchestration and Rust native crypto
The desktop runtime does not rely on a local HTTP API for normal app communication.
Avikal does not claim protection against:
- malware or spyware on the same machine
- keyloggers
- memory scraping on a compromised host
- weak user passwords
- lost passwords, keyphrases, or
.avkkeyfiles - drand or Aavrit outages
- malicious use by the user
- information-theoretic secrecy
- formal steganographic indistinguishability of generated PGN
- Store
.avkkeyfiles separately from their matching.avkarchives. - Back up passwords, keyphrases, and keyfiles carefully.
- Keep system time reliable when using TimeCapsule.
- Treat decrypted preview files as temporary plaintext.
- Use the activity export only after confirming it contains no sensitive operational detail for your environment.
- Use
avikal doctorto verify CLI runtime readiness.
Please report suspected vulnerabilities privately before public disclosure.
Preferred process:
- Use GitHub private vulnerability reporting if enabled.
- If unavailable, contact the maintainer privately.
- Include:
- affected version, release, or commit
- operating system and architecture
- affected surface: desktop, CLI, archive core, TimeCapsule, Aavrit client, or packaging
- reproduction steps
- expected behavior
- actual behavior
- proof-of-concept material only when necessary
Do not open a public issue with exploit details before the maintainer has had a reasonable opportunity to reproduce and address the issue.
Reports are especially useful for:
- archive encryption and decryption
keychain.pgnparsing and protected metadata handling- payload streaming and chunk authentication
- payload key wrapping and rekey behavior
.avkkeygeneration, wrapping, and validation- TimeCapsule unlock routing and authority verification
- preview-session cleanup and filesystem boundaries
- Electron preload and IPC boundaries
- bundled OpenSSL PQC runtime integration