Nothing is impossible for us
Linkedin Envelope

Stealth Safe

Table of Contents

What Stealth Safe Is

Stealth Safe is a security-focused app for storing personal data in encrypted vault files (“briefcases”) while keeping cryptographic control on the user’s side.

It is designed for people who want more than a password-protected notes app. Stealth Safe emphasizes:

  • strong cryptographic protection of vault files
  • user-controlled keys
  • local and cloud-folder storage flexibility
  • remote SFTP storage support
  • encrypted file attachments inside documents
  • direct sharing of decryption access (for supported vault formats) without a mandatory centralized access server

Core Security Principles

1. Your keys protect the vaults

The most important security boundary in Stealth Safe is not the app screen itself, but the cryptographic keys used to decrypt vault files.

This means:

  • encrypted vault files remain unreadable without the correct keys
  • possession of a device or a copied vault file does not automatically provide access to the contents
  • access to a vault depends on the matching security material, not only on a simple app login success/fail state

2. The PIN is for profile access and key management convenience

Stealth Safe uses a PIN code for convenient access to a security profile and day-to-day key management.

Important clarification:

  • the PIN is not a replacement for the vault’s cryptographic keys
  • knowing or guessing a PIN is not the same as possessing the required source keys for a specific vault

In practice, vault security is anchored in cryptographic key material. The PIN improves usability and access flow inside the app.

3. No mandatory centralized access-control service

Stealth Safe is built to avoid a required third-party server that distributes or enforces access permissions between users.

Why this matters:

  • fewer centralized trust dependencies
  • fewer places where access metadata can leak
  • no mandatory provider-side control point over who can decrypt your shared vaults

Stealth Safe supports sharing and collaboration without requiring a centralized service to hold the authority over your vault access.

Why This Is Different

Many products offer “sharing” by routing trust through a vendor-managed backend that controls permissions, membership, or key distribution.

Stealth Safe takes a different approach:

  • encrypted vault files can live in storage locations you choose
  • decryption access can be shared directly between users (for supported vault formats, such as SSBC2)
  • users retain control over where files are stored and who can decrypt them

This reduces reliance on a third-party service as a permanent security bottleneck.

Security Model in Real-World Scenarios

If someone gets access to your device storage

If an attacker gains access to the device file system (or copies your vault files), they still see encrypted containers.

Without the correct keys, they cannot reliably determine:

  • the actual contents of a vault
  • whether a vault contains anything useful to them
  • who can decrypt it

This is a meaningful difference from apps that store data in easily identifiable plaintext or weakly protected formats.

If someone pressures a user to unlock the app

Stealth Safe is designed around security profiles and key-based access, not a simple “one password reveals everything” model.

The critical point remains the same: access to a specific vault requires the matching key material. Visibility of some data on a device does not automatically prove access to all vaults or to any particular encrypted vault file.

How Sharing Works (Vault Access / SSBC2)

Stealth Safe supports collaborative access management for supported vaults (SSBC2).

With Vault Access, users can:

  • add members
  • manage roles (for example owner/editor, depending on the vault setup)
  • share decryption rights directly

Important: access rights are not file delivery

Sharing access in Stealth Safe does not magically move the vault file to another person’s device.

For another user to actually see and use a shared vault:

  1. The encrypted vault file must be placed in a folder both users can access.
  2. That folder can be iCloud Drive, Google Drive, OneDrive, or another shared directory available on the device.
  3. The receiving user must add the corresponding folder path in their Stealth Safe storage settings.

Only when both conditions are met:

  • the user has decryption access, and
  • the user can physically reach the encrypted file

the shared vault becomes usable in the app.

Storage Model

Stealth Safe is flexible about where encrypted vault files are stored.

Supported storage workflows include:

  • local device folders
  • iCloud folders
  • remote SFTP locations configured in app settings
  • other folders exposed to the device (including shared directories from supported providers)

Stealth Safe manages encryption, decryption access, and vault usage. It is not a hosted cloud storage provider and does not replace your file-sync/storage service.

Remote SFTP Storage

Stealth Safe can now connect directly to supported SFTP servers and treat them as storage locations for encrypted briefcases.

This allows users to:

  • keep encrypted briefcases on their own remote infrastructure
  • browse and open supported vault files discovered on configured remote paths
  • save updated briefcases back to the same remote location from inside the app
  • authenticate with either a password or an OpenSSH private key, depending on the server setup

This fits the same core philosophy as the rest of the app: Stealth Safe manages encryption and decryption workflows, while users stay in control of where the encrypted files physically live.

Encrypted File Attachments Inside Documents

Stealth Safe now supports encrypted file attachments as a first-class document field type.

Users can:

  • attach photos from the system photo library
  • attach files from the system file picker and compatible file providers
  • give each attachment a human-readable field label inside the document
  • preview supported image formats
  • share or export a decrypted copy only when needed

Why attachments are stored separately

Attachments are intentionally stored outside the main briefcase payload.

The briefcase keeps only the encrypted metadata/reference needed to locate the attachment, while the encrypted attachment content is stored next to the briefcase storage location.

This design helps:

  • keep briefcase files smaller
  • reduce unlock-time overhead after PIN entry
  • avoid forcing users to decrypt attachments unless they actually open or share them

Large-file handling

Attachment encryption is designed to process larger files in chunks instead of assuming everything fits comfortably into memory at once.

In practice, this means:

  • background processing for long-running attachment work
  • progress feedback during import, encryption, decryption, preview preparation, and sharing
  • better scalability for larger file-based secrets and records

Security Profile Backup and Recovery

Stealth Safe supports security profile export/import workflows, including QR-based transfer and backup scenarios.

This can be used to:

  • transfer your security profile to another device
  • keep a protected offline backup of the security profile (for recovery scenarios)
  • restore access to existing encrypted vault files after reinstalling or moving devices

Important security note

Profile export may include sensitive key material (including private keys, depending on the export format/workflow).

Best practices:

  • store exported profile data in a secure location
  • treat printed QR backups like highly sensitive secrets
  • do not share profile export data unless you intentionally want to transfer your own security profile

Safety Features in Access Management

To reduce the risk of accidental lockout in shared vaults, Stealth Safe includes protections in Vault Access management (SSBC2 workflows), such as:

  • preventing users from removing their own access in situations that would be dangerous
  • preventing removal of the last remaining owner of a vault

These safeguards are intended to reduce irreversible loss of decryption capability due to UI mistakes.

What You Can Use Stealth Safe For

Typical use cases include:

  • personal encrypted records
  • private notes and sensitive references
  • encrypted storage of supporting files such as scans, photos, PDFs, recovery documents, and key material
  • family-shared secure information
  • small-team shared vaults where users want direct control without a centralized permission server
  • self-hosted or organization-managed remote storage via SFTP

Quick Start

  1. Create your security profile and PIN.
  2. Create a new encrypted vault (briefcase).
  3. Choose where the vault file will be stored: local folder, iCloud, shared folder, or configured SFTP storage.
  4. Add your data to folders and documents inside the vault.
  5. (Optional) Add encrypted file attachments such as photos, PDFs, or other files directly inside a document.
  6. (Optional) For collaboration, use Vault Access (SSBC2) to share decryption access.
  7. Make sure collaborators also have access to the shared folder path or remote storage workflow you use.
  8. Export and securely store a backup of your security profile if needed.

Best Practices

  • Keep profile exports and private-key-related QR codes in a secure place.
  • Use shared folders only with people and storage providers you trust operationally.
  • Treat remote SFTP connector credentials and private keys as sensitive secrets.
  • Remember that file availability and decryption permission are separate requirements for collaboration.
  • Remember that encrypted attachments are decrypted on demand, so users should still protect exported decrypted copies after sharing.
  • Review vault membership and roles regularly in shared setups.
  • Protect the device itself (OS lock, updates, device encryption, backup hygiene).

Limitations and Responsibility Notes

Stealth Safe is designed to reduce central points of failure and improve user control, but no security tool can eliminate all risk.

Security still depends on:

– how safely users handle devices and backups

– whether private keys/profile exports are protected

– how shared folders and external storage providers are configured

– endpoint security on every participating device

FAQ

Does the PIN alone decrypt my vaults?

No. The PIN is used for convenient access to your security profile and key-management workflow. Vault decryption depends on the correct cryptographic keys.

Can I share a vault without using your server?

Yes. Stealth Safe is designed so users can share decryption access directly (for supported vault formats such as SSBC2) without a mandatory centralized access-control server.

If I share access, will the vault automatically appear on the other device?

Not by itself. The recipient also needs access to the encrypted vault file through a shared folder and must configure that folder path in Stealth Safe settings.

What if I lose the app but still have the encrypted files?

If you securely backed up your security profile (for example via the profile export workflow), you can restore the profile and regain access to the vaults encrypted with it.

Website Copy Snippets

Short Product Summary

Stealth Safe stores your data in encrypted vault files with user-controlled keys, encrypted file attachments, direct sharing of decryption access, remote SFTP storage support, and no mandatory centralized access-control server.

Security Positioning Summary

Stealth Safe separates file availability from decryption rights: even if someone gets the file, they still need the correct keys. The same principle applies to remote storage and file attachments: location and transport do not replace cryptographic access.

Polska, Poznań, 60­-369
REGON: 521961673           NIP: 7792539036
Email: info@ilterra.com    Web: ilterra.com

ACCOUNT: PL93 1020 4900 0000 8702 3450 7680
BENEFICIARY: ILTERRA ( YAUHEN PANIMATCHANKA )
BANK OF BENEFICIARY: PKO Bank Polski
Kod BIC PKO Banku Polskiego SA: BPKOPLPW