CLI Security & Credentials Manager

Security architecture of Aircada CLI, protecting session keys using localized AES-256-CBC platform-bound encryption.
Published: 7/10/2026

Credentials Vault Architecture

The Aircada CLI features a zero-leak credentials manager designed to protect API tokens and cloud session states without exposing raw keys on the host machine. All authenticated sessions are written exclusively to ~/.aircada/credentials.lock.

Platform-Bound Encryption

To prevent credential theft and file cloning attacks, session keys are cryptographically locked to the host machine:

1. Encryption Standard: Written using AES-256-CBC.

2. Machine-Derived Key generation: The symmetric decryption key is generated dynamically at runtime using crypto.scryptSync mixed with a custom salt (aircada-cli-salt-v1) and bound directly to OS platform, username, hostname, and CPU architecture.

3. Hardware Anti-Tampering: Even if the credentials.lock file is copied or leaked off-machine, it cannot be decrypted on any other computer.

4. Filesystem Permissions: The lock file is restricted immediately upon creation using localized filesystem attributes, enforcing read/write restrictions solely to the owner account (applying a chmod 600 equivalent policy).