Offline Terminal Encryption: The Air-Gapped Vault

Cold Storage

Offline Terminal Encryption

Published on January 27, 2026 by Vizava.pro

Get rid of all network vectors. Encrypt text files and sensitive logs in the local terminal environment without sending a single packet from your device.

In a time when telemetry and packet sniffing never stop, going dark is often the only way to protect your privacy. Secure cloud storage is useful, but it depends on a chain of trust: you have to trust your ISP, the TLS handshake, and the remote server.

The safest way to connect to the internet for the most sensitive information, like master keys, crypto seed phrases, or whistleblower manifests, is not to connect at all.

This guide explains how Vizava's Terminal Mode works. It's an offline environment that turns your browser into an air-gapped encryption machine.

The Trust Gap

"Leakage" is a common problem with standard encryption tools that run in a web browser. The application could still be pinging analytics servers, loading remote fonts, or auto-saving drafts to a cloud backend, even if the encryption happens on the client side.

1. Is the input field sending keystrokes to an API?
2. Is the browser saving the cleartext in local history?
3. Are scripts from other websites watching the DOM?
4. Does the "Save" button send data to the server or just download it?

These doubts make a "Trust Gap." They are acceptable risks for low-level security. They are not acceptable for high-stakes data.

The "Cloud" Mistake:

A lot of "secure notes" apps say they are private, but they secretly send your data to their servers so you can use it on more than one device. Cold storage is the opposite of convenience.

The Air-Gapped Solution

The Vizava Terminal is made to work in a technological vacuum. The logic is self-contained once the page loads. You can unplug your ethernet cable or turn off Wi-Fi, and the terminal will still work perfectly.

The interface changes to show this state, with a red NETWORK: AIR-GAPPED indicator. This is more than just a UI element; it shows that the specific DOM elements for encryption are not connected to the browser's fetch/XHR functions.

Buffer Size 250,000 chars

Network No Requests

Output JSON or .DAT File

Your data stays in the browser's memory heap until you tell it to export it as an encrypted blob.

Deep Dive: Client-Side Logic

The Terminal uses the standard VizavaSecurity class that is part of our open-source viewer. It makes sure that the file format can be used on different devices. If you have the keys, you don't need Vizava to decrypt it later, but our tool makes it easy.

1. Key Derivation (PBKDF2)

We don't just use your password as is. We use PBKDF2 (Password-Based Key Derivation Function 2) with a high number of iterations and a random salt. This stops rainbow table attacks.

2. AES-GCM

The derived key uses AES-256-GCM (Galois/Counter Mode) to encrypt your buffer. This keeps it safe (they can't read it) and keeps it safe (they can't change it without breaking the auth tag).

3. The JSON Container

The output is a standard JSON object that has everything needed to decrypt (except the password).

The output format is as follows:JSON

                            {
                                "v": 1,
                                "iter": 2000000,
                                "ks": 256,
                                "ts": 128,
                                "mode": "gcm",
                                "adata": "",
                                "cipher": "aes",
                                "salt": "m+F8a...",
                                "iv": "9d8f...",
                                "ct": "Xy7z..."
                            }
                        

Workflow: Step-by-Step Guide

This is the best way to make a "Cold Storage" backup of sensitive text.

Step 1: Start

Go to the Terminal tab. Make sure the red status light says "AIR-GAPPED." To be completely sure, turn off your device's Wi-Fi.

Step 2: Enter and Buffer

Put your data into the terminal buffer by typing or pasting it. The field has autocomplete="off" and spellcheck turned off so that your operating system doesn't store parts of the text in system dictionaries.

Step 3: Secure It

Type in a strong Local Passphrase. The system will make a random 10-character alphanumeric key for you if you leave this blank.

Step 4: Export

To copy the encrypted blob to your clipboard, click "Copy JSON." To save it as a .dat file, click the download button.

You can now safely send this .dat file by email, put it on a USB drive, or upload it to Google Drive. Without the passphrase, the file looks like random noise most of the time.

Paranoid Mode

The Terminal has a switch called "Paranoid Mode" for users who want to protect themselves from state-level actors or huge supercomputer clusters.

Mode Standard 600,000 Iterations

Mode Paranoid 2 million iterations

Cost High latency HIGH CPU LOAD

Standard: 600,000 PBKDF2 iterations are used. This is standard in the industry and hard to break with brute force. It works quickly on mobile devices.

Paranoid: raises the number of iterations to 2,000,000. This makes it much more expensive to find the key.

The trade-off is that it will take noticeably longer to encrypt and decrypt (1 to 3 seconds, depending on the device). This delay is by design. If it takes your phone three seconds to guess one password, it will take a hacker's cluster centuries to guess trillions.