seal

AES-256-GCM credential manager with Qt6 GUI

🛡️ Features | 🚅 Quick Start | 📗 Documentation | 🤝 Contributing

An encryption and credential manager built with C++23 and powered by OpenSSL AES-256-GCM. It pairs a Qt6 interface, where credentials are stored encrypted and only decrypted on demand, with a streaming CLI that slots into pipes and scripts. seal can encrypt individual files, entire directories, or inline text, and fills credentials directly into applications or websites via its auto-fill controller. Under the hood, every secret sits in hardened memory - locked pages, guard pages, canary sentinels and the clipboard is scrubbed automatically if used.

Warning

seal is designed to protect sensitive information, but it is provided as is and used entirely at your own risk.
the author and contributors are not liable for security incidents or other damages arising from its use.

Important

Windows 10/11 Only - seal enforces Windows-specific security mitigations and will not build on other platforms.

• For best protection, enable SeLockMemoryPrivilege via Group Policy (gpedit.msc -> Local Policies -> User Rights Assignment -> Lock pages in memory).
• UI icons use Font Awesome Pro 7.2 SVGs, which are not included in this repository due to their commercial license. You must supply your own assets/svgs/ from a valid Font Awesome Pro subscription.

/*  ============================================================================================  *
 *                                                            ⠀⣠⡤⠀⢀⣀⣀⡀⠀⠀⠀⠀⣦⡀⠀⠀⠀⠀⠀⠀
 *                                                            ⠀⠘⠃⠈⢿⡏⠉⠉⠀⢀⣀⣰⣿⣿⡄⠀⠀⠀⠀⢀
 *           ::::::::  ::::::::::     :::     :::             ⠀⠀⠀⠀⠀⢹⠀⠀⠀⣸⣿⡿⠉⠿⣿⡆⠀⠰⠿⣿
 *          :+:    :+: :+:          :+: :+:   :+:             ⠀⠀⠀⠀⠀⢀⣠⠾⠿⠿⠿⠀⢰⣄⠘⢿⠀⠀⠀⠞
 *          +:+        +:+         +:+   +:+  +:+             ⢲⣶⣶⡂⠐⢉⣀⣤⣶⣶⡦⠀⠈⣿⣦⠈⠀⣾⡆⠀
 *          +#++:++#++ +#++:++#   +#++:++#++: +#+             ⠀⠀⠿⣿⡇⠀⠀⠀⠙⢿⣧⠀⠳⣿⣿⡀⠸⣿⣿⠀
 *                 +#+ +#+        +#+     +#+ +#+             ⠀⠀⠐⡟⠁⠀⠀⢀⣴⣿⠛⠓⠀⣉⣿⣿⢠⡈⢻⡇
 *          #+#    #+# #+#        #+#     #+# #+#             ⠀⠀⠀⠀⠀⠀⠀⣾⣿⣿⣆⠀⢹⣿⣿⣷⡀⠁⢸⡇
 *           ########  ########## ###     ### ##########      ⠀⠀⠀⠀⠀⠀⠘⠛⠛⠉⠀⠀⠈⠙⠛⠿⢿⣶⣼⠃
 *                                                            ⠀⠀⠀⢰⣧⣤⠤⠖⠂⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
 *
 *                                  << P A S S   M A N A G E R >>
 *
 *  ============================================================================================  */

Features

Interface

seal ships with a Qt6 QML graphical manager and a streaming CLI for scripts and automation.

---
config:
  look: handDrawn
  theme: mc
  themeVariables:
    fontSize: 18px
  layout: elk
---
graph LR
    classDef gui fill:#134e3a,stroke:#10b981,color:#e2e8f0
    classDef cli fill:#1e3a5f,stroke:#3b82f6,color:#e2e8f0
    classDef core fill:#2e1f5e,stroke:#8b5cf6,color:#e2e8f0

    subgraph GUI["🖥️ Qt6 GUI"]
        Vault["🔐 Vault Manager"]:::gui
        AutoFill["⌨️ Auto-Fill"]:::gui
        QR["📷 Webcam QR"]:::gui
    end

    subgraph CLI["⚡ Command Line"]
        Stream["📡 Stream Mode"]:::cli
        Interactive["💬 Interactive"]:::cli
        Import["📥 Batch Import"]:::cli
    end

    subgraph Core["🛡️ Crypto Engine"]
        AES["🔑 AES-256-GCM"]:::core
        Memory["🧱 Hardened Memory"]:::core
        Clipboard["📋 Clipboard Scrub"]:::core
    end

    GUI --> Core
    CLI --> Core

Loading

Memory Protection

---
config:
  look: handDrawn
  theme: mc
  themeVariables:
    fontSize: 18px
  layout: elk
---
graph LR
    classDef lock fill:#7c2d12,stroke:#f97316,color:#fef3c7
    classDef guard fill:#4c1d95,stroke:#e879f9,color:#e2e8f0
    classDef wipe fill:#064e3b,stroke:#34d399,color:#e2e8f0
    classDef canary fill:#713f12,stroke:#facc15,color:#fef9c3

    V["🔒 VirtualLock"]:::lock
    G["🚧 Guard Pages"]:::guard
    S["🧹 SecureZeroMemory"]:::wipe
    C["🐤 0xD0 Canary"]:::canary

    V --- G --- S --- C

Loading

• 🔒 VirtualLock - Locks sensitive pages to prevent swapping to disk
• 🚧 Guard Pages - PAGE_NOACCESS regions flanking every allocation detect overflows
• 🧹 Secure Wiping - SecureZeroMemory scrubs data before deallocation
• 🐤 Canary Protection - 0xD0 sentinel at the tail of every buffer catches overruns
• 📋 Clipboard Scrubbing - Auto-wipes copied credentials after a configurable TTL
• 🔐 DPAPI In-Memory Encryption - Master password is wrapped with CryptProtectMemory while at rest
• 🔑 Scrypt KDF - Master password stretched with scrypt before AES key generation

Process Hardening

seal enables Windows security mitigations at startup:

• Prohibits dynamic code generation (ProcessDynamicCodePolicy)
• Requires signed images for loading (ProcessSignaturePolicy)
• Enables strict handle checks (ProcessStrictHandleCheckPolicy)
• Restricts image loading to System32 and known paths (ProcessImageLoadPolicy)
• Disables extension point DLLs such as AppInit and Winsock LSPs (ProcessExtensionPointDisablePolicy)
• Side-channel isolation - SMT branch-target isolation, security-domain isolation, page-combine disable, SSBD, core-sharing restriction
• Detects and blocks Remote Desktop sessions

Anti-Tamper

• 🛡️ Debugger Detection - Three-layer check terminates on detection
• 💥 Crash Dump Suppression - Windows Error Reporting disabled
• 🧱 Process Access DACL - Restrictive SDDL blocks external processes from reading memory
• 🔥 Heap Hardening - HeapEnableTerminationOnCorruption terminates the process immediately on heap corruption
• 🔑 SeLockMemoryPrivilege - Requested at startup to support large-page VirtualLock
• ⌨️ Keyboard Hook Detection - Timing-based heuristic detects keylogger hooks before auto-type

Vault System

Credentials are stored in .seal files using on-demand decryption - each record stays encrypted until the moment you need it.

Component	Description
Platform	AES-256-GCM encrypted, displayed as search index
Credential	username:password blob, decrypted only on access

Additional Capabilities

• 📷 Webcam QR - Scan master password from a QR code via the built-in webcam capture
• ⌨️ Auto-Fill - Type credentials directly into target application fields
• 📁 Batch Processing - Encrypt/decrypt entire directories recursively
• 📡 Stream Mode - Pipe-friendly stdin/stdout encryption for scripting

Technology Stack

Component	Technology
Language	C++20
GUI Framework	Qt6 (QML + Quick)
Cryptography	OpenSSL 3.x
Build System	CMake 3.20+
Package Manager	vcpkg
Testing	Google Test
Documentation	Doxide + MkDocs
QR Capture	OpenCV QRCodeDetector
Platform	Windows 10/11 (64-bit)

Quick Start

Prerequisites

• Windows 10/11 (64-bit)
• Visual Studio 2022 (MSVC v143, C++23)
• CMake 3.20+
• vcpkg with the toolchain at a known path
• Python 3 (for documentation post-processing)
• Font Awesome Pro 7.2 SVGs in assets/svgs/ (not included, requires license)
• doxide + mkdocs (optional, for API docs generation)

Building

# 1. Clone the repository
git clone https://github.com/lextpf/seal.git
cd seal

# 2. Build (configure + compile + docs)
.\build.bat

# 3. Run
.\build\bin\Release\seal.exe

Output: build/bin/Release/seal.exe

Architecture

---
config:
  look: handDrawn
  theme: mc
  themeVariables:
    fontSize: 18px
  layout: elk
---
graph TB
    classDef core fill:#1e3a5f,stroke:#3b82f6,color:#e2e8f0
    classDef gui fill:#134e3a,stroke:#10b981,color:#e2e8f0
    classDef vault fill:#4a3520,stroke:#f59e0b,color:#e2e8f0
    classDef crypto fill:#2e1f5e,stroke:#8b5cf6,color:#e2e8f0

    Main["🚀 main.cpp"]:::core

    subgraph GUI["🖥️ GUI Layer"]
        Backend["⚙️ Backend"]:::gui
        QML["🎨 QML Views"]:::gui
        Fill["⌨️ FillController"]:::gui
    end

    subgraph Vault["🗄️ Vault Layer"]
        VaultModel["📋 VaultListModel"]:::vault
        VaultIO["💾 Vault I/O"]:::vault
    end

    subgraph Crypto["🔐 Crypto Layer"]
        Cryptography["🔑 Cryptography"]:::crypto
        FileOps["📁 FileOperations"]:::crypto
        Clipboard["📋 Clipboard"]:::crypto
    end

    Main --> GUI
    Main --> Vault
    GUI --> Vault
    Vault --> Crypto
    GUI --> Crypto

Loading

File	Purpose
main.cpp	Entry point, CLI argument parsing
Cryptography	AES-256-GCM primitives, key derivation
FileOperations	File/directory encryption and streaming
Vault	Vault format, on-demand decryption
VaultModel	QML list model for vault entries
Backend	QML ↔ C++ bridge, application logic
FillController	Credential auto-fill into target windows
Clipboard	Clipboard operations with TTL scrubbing
Utils	String, hex, and path utilities

Project Structure

seal/
|-- src/                        # C++ source code
|   |-- main.cpp                # Entry point and CLI parsing
|   |-- Cryptography.cpp/hpp      # AES-256-GCM, scrypt key derivation
|   |-- FileOperations.cpp/hpp    # File/directory/stream encryption
|   |-- Vault.cpp/hpp             # Vault format and on-demand decryption
|   |-- VaultModel.cpp/hpp        # QML list model for vault entries
|   |-- Backend.cpp/hpp           # QML backend bridge
|   |-- FillController.cpp/hpp    # Credential auto-fill controller
|   |-- Clipboard.cpp/hpp         # Clipboard with TTL scrubbing
|   |-- Utils.cpp/hpp             # String, hex, path utilities
|   |-- Console.cpp/hpp           # Console/CLI helpers
|   |-- QmlMain.cpp/hpp           # QML application entry
|   +-- Version.hpp             # Version macros
|-- qml/                        # Qt6 QML UI
|   |-- Main.qml                # Application window
|   |-- AccountsTable.qml       # Credential list view
|   |-- AccountDialog.qml       # Add/edit credential dialog
|   |-- PasswordDialog.qml      # Master password prompt
|   +-- ...                     # Theme, headers, search, icons
|   |-- QrCapture.cpp/hpp         # Webcam QR capture with secure memory
|-- tests/                      # Google tests
|-- assets/                     # Fonts and icons
|-- scripts/                    # Documentation post-processing
|-- CMakeLists.txt              # Build configuration
|-- vcpkg.json                  # Dependency manifest
|-- build.bat                   # Build pipeline script
+-- mkdocs.yml                  # Documentation site config

Documentation

API documentation is generated via a three-stage pipeline:

# 1. Generate markdown from C++ headers
doxide build

# 2. Post-process (strip noise, fix formatting, add icons)
python scripts/clean_docs.py

# 3. Build the documentation site
mkdocs build

The site is output to site/ and can be served locally with mkdocs serve.

Troubleshooting

Problem	Solution
SeLockMemoryPrivilege	Enable via gpedit.msc -> Local Policies -> User Rights Assignment
Remote Desktop blocked	Intended - seal refuses to run over RDP for security
vcpkg ninja crash	Known issue with bundled ninja 1.13.2, retry or use system ninja
Qt plugins not found	Ensure windeployqt ran during build, check qt.conf paths

Contributing

Contributions are welcome! Please read the Contributing Guidelines before submitting pull requests.

Development Workflow

1. Fork the repository
2. Create a feature branch (git checkout -b feature/amazing-feature)
3. Make your changes
4. Run tests and ensure the build passes
5. Commit with descriptive messages
6. Push to your fork and open a Pull Request

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

• OpenSSL - Cryptographic primitives
• Qt - GUI framework
• Google Test - Testing framework
• vcpkg - C++ package manager
• Doxide - API documentation generator
• MkDocs Material - Documentation theme
• Font Awesome Pro 7.2 - UI icons
• Claude - AI coding assistant by Anthropic
• Codex - AI coding assistant by OpenAI