Documentation
/
Guides & Tutorials
/
Encryption Guide

Understanding FileFortress Encryption Options
Choose the right encryption mode for your needs

What You'll Learn
  • How machine-specific encryption works
  • How custom password encryption works
  • Security tradeoffs between modes
  • Choosing the right mode for your use case
  • Best practices for each mode

Overview

FileFortress encrypts your local database to protect sensitive information like cloud storage credentials and file metadata. You can choose between two encryption modes: automatic (machine-specific) or custom password.

Encryption Modes

Mode 1: Automatic Encryption (Machine-Specific)

How It Works

Uses your operating system's built-in encryption APIs (DPAPI on Windows, Keychain on macOS, Secret Service on Linux) to encrypt the database. The encryption key is tied to your user account on that specific machine.

Pros

No password to remember
Automatic and transparent
Secure against file theft
Simple setup

Cons

Cannot access database from other devices
Lost if OS is reinstalled
Tied to specific user account

Setup

filefortress init

Mode 2: Custom Password

How It Works

Uses a password you provide to encrypt the database with AES-256 encryption. You must provide this password (or a key file containing it) with every command.

Pros

Access database from multiple devices
Portable across machines
You control the password
Can create key file for convenience

Cons

Must remember password
Must provide password with every command
Key file must be managed securely
Lost password = lost database

Setup

filefortress --password YourSecurePassword init --create-key-file ~/filefortress.key

Usage

# With password
filefortress --password YourSecurePassword remotes list

# With key file (recommended)
filefortress --key-file ~/filefortress.key remotes list

Decision Flowchart

Will you use FileFortress on multiple devices?
Yes → Use Custom Password mode
No → Continue to next question
Do you need maximum convenience?
Yes → Use Automatic Encryption mode
No → Use Custom Password mode for more control

Use Case Recommendations

Single Personal Device
Laptop or Desktop

Recommended: Automatic Encryption

Simple, secure, no password management needed.

Multiple Personal Devices
Laptop + Desktop

Recommended: Custom Password + Key File

Share database across devices with key file for convenience.

Server/Automation
Automated Scripts

Recommended: Custom Password + Key File

Key file enables automated scripts without interactive password entry.

Security Considerations

Automatic Encryption Security

What It Protects Against:

Database file theft (encrypted at rest)
Unauthorized access from other user accounts

What It Doesn't Protect Against:

Access by someone logged into your user account
Malware running as your user

Best Practices:

Use strong OS login password
Enable full disk encryption
Lock your computer when away

Custom Password Security

Password Strength Requirements:

Minimum 12 characters recommended
Mix of uppercase, lowercase, numbers, symbols
Avoid common words or patterns
Use a password manager

Key File Security:

Store in home directory with restricted permissions
Never commit to version control
Back up securely (encrypted cloud storage)
Don't share via email or unencrypted channels

Key File Management

Creating a Key File

# During init
filefortress --password YourPassword init --create-key-file ~/filefortress.key

# Or create manually
echo "YourPassword" > ~/filefortress.key
chmod 600 ~/filefortress.key # Linux/Mac only

Using a Key File

filefortress --key-file ~/filefortress.key [command]

Backing Up Key Files

Option 1: Encrypted Cloud Storage

Store key file in encrypted cloud storage (e.g., encrypted folder in Dropbox, Google Drive with client-side encryption)

Option 2: Password Manager

Store the password itself in a password manager like 1Password, LastPass, or Bitwarden

Option 3: Multiple Secure Locations

Keep copies on multiple devices you control, each with restricted permissions

Migration Between Modes

Important Note

You cannot directly convert between encryption modes. You must reinitialize, which creates a new database.

From Automatic to Custom Password

Export any important data or saved queries
Note your connected remotes
Reinitialize with password: filefortress --password NewPassword init --create-key-file ~/filefortress.key
Reconnect remotes
Rescan: filefortress --key-file ~/filefortress.key remotes scan --all

From Custom Password to Automatic

Export any important data or saved queries
Note your connected remotes
Reinitialize: filefortress init
Reconnect remotes
Rescan: filefortress remotes scan --all

Recovery Procedures

Lost Password/Key File

No Recovery Possible

If you lose your password and don't have a key file backup, you cannot recover the database. You'll need to reinitialize.

Your cloud files are safe - only the local database is affected. You can reinitialize and rescan.

Corrupted Database

If your database becomes corrupted:

Try filefortress device info to verify corruption
If corrupted, reinitialize (keeps same encryption mode)
Reconnect remotes
Rescan to rebuild index

Best Practices Summary

Scenario Recommended Mode Key Practices
Single device, personal use Automatic Encryption Strong OS password, full disk encryption
Multiple devices, personal use Custom Password + Key File Strong password, backup key file securely
Server/automation Custom Password + Key File Restrict key file permissions, monitor access
Shared/team environment Individual accounts (Automatic) Each user has own database and encryption

Related Resources

Multi-Device Setup
Set up FileFortress across multiple devices
View Guide
init Command
Device initialization reference
View Reference
Automation Guide
Automate with key files
View Guide