Encryption

Last updated: December 5, 2025

What encryption covers

When you turn on encryption, VeloFill protects sensitive items in your browser profile with a master password:

  • Encrypted: Knowledge base name, content, and prompt; connection name, API key, API URL, default model, and provider ID.
  • Not encrypted: Internal IDs, timestamps, and temperature settings (kept plain for indexing and sorting).

Encryption protects data at rest inside your browser storage. If you lose the master password, the encrypted data cannot be recovered.

How it works

  • Algorithm: AES-256-GCM for confidentiality and integrity.
  • Key derivation: PBKDF2 with SHA-256, 100,000 iterations, and a per-user salt.
  • Session key caching: The derived key is cached in chrome.storage.session (cleared when the browser closes) so you don’t have to unlock every page load. Avoid installing untrusted extension content and keep your browser up to date.
  • Local-only: Encryption and decryption happen in the extension; the master password is never sent to VeloFill servers.

Enable encryption

  1. Open Options → Security & Encryption.
  2. Click Enable and set a master password (8+ characters).
  3. Confirm. VeloFill re-encrypts all knowledge bases and connections with the new key.
Security & Encryption settings showing the encryption status and enable option
Enable the vault from the Security & Encryption panel in Options.

NOTE:

  • Use a password you can remember; there is no recovery.
  • Export a backup.
Set master password dialog with fields for master password and confirmation
Choose and confirm your master password when enabling encryption.

Unlock and lock

  • If VeloFill is locked, the Options page shows an unlock prompt. Enter your master password to read or edit encrypted data.
  • Closing the browser clears the session cache; you’ll need to unlock again next session.
  • Re-opening Options after a password change or browser restart may require unlocking again.

Change the master password

  1. Export a backup first (Options → Import & Export) in case something goes wrong.
  2. Open Security & EncryptionChange Password.
  3. Enter the current password, then the new one twice.
  4. VeloFill re-encrypts all encrypted fields with the new key. Stay on the page until it finishes.

NOTE: Always do a backup by exporting your data.

Backups and imports while encrypted

  • Export files include decrypted knowledge bases and connections so you can restore them later. Store exports securely (disk encryption, password-protected archive, or delete after import).
  • When you import into an encrypted vault, VeloFill encrypts incoming data with your current key.
  • Import files from older versions may contain plain text; after import, the data is re-encrypted if encryption is enabled.

For recovery steps and error fixes, see Troubleshooting and Import and Export.