Offline Terminal Encryption: The Air-Gapped Vault

Cold Storage

Offline Terminal Encryption

Published on January 27, 2026 by Vizava.pro

Eliminate network vectors entirely. Use the local terminal environment to encrypt text files and sensitive logs without a single packet leaving your device.

In an era of relentless telemetry and packet sniffing, true privacy often means going dark. While secure cloud storage is convenient, it inherently relies on a chain of trust: trusting your ISP, trusting the TLS handshake, and trusting the remote server.

For the most sensitive data—master keys, crypto seed phrases, or whistleblower manifests—the safest network connection is no connection at all.

This guide details the architecture of Vizava's Terminal Mode, a strictly offline environment designed to turn your browser into an air-gapped encryption machine.

The Trust Gap

Standard browser-based encryption tools often suffer from "leakage." Even if the encryption happens client-side, the application might still be pinging analytics servers, loading remote fonts, or auto-saving drafts to a cloud backend.

1. Is the input field sending keystrokes to an API?
2. Is the browser caching the cleartext in local history?
3. Are third-party scripts monitoring the DOM?
4. Does the "Save" button upload data or just download it?

These uncertainties create a "Trust Gap." For low-level security, they are acceptable risks. For high-stakes data, they are disqualifying.

The "Cloud" Fallacy:

Many "secure notes" apps claim to be private but silently sync your data to their servers for "multi-device convenience." Convenience is the antithesis of cold storage.

The Air-Gapped Solution

The Vizava Terminal is designed to function inside a technological vacuum. Once the page loads, the logic is self-contained. You can physically disconnect your ethernet cable or disable Wi-Fi, and the terminal will continue to function perfectly.

The interface changes to reflect this state, displaying a red NETWORK: AIR-GAPPED indicator. This is not just a UI element; it confirms that the specific DOM elements for encryption are decoupled from the browser's fetch/XHR capabilities.

Buffer Size 250,000 Chars

Network Zero Requests

Output JSON / .DAT File

Your data stays in the browser's memory heap until you explicitly choose to export it as an encrypted blob.

Deep Dive: Client-Side Logic

The Terminal uses the standard VizavaSecurity class found in our open-source viewer. It ensures that the file format is portable—you don't need Vizava to decrypt it later if you have the keys, but our tool makes it seamless.

1. Key Derivation (PBKDF2)

We don't just use your password directly. We run it through PBKDF2 (Password-Based Key Derivation Function 2) with a high iteration count and a random salt. This prevents rainbow table attacks.

2. AES-GCM

The derived key encrypts your buffer using AES-256-GCM (Galois/Counter Mode). This provides both confidentiality (they can't read it) and integrity (they can't tamper with it without breaking the auth tag).

3. The JSON Container

The output is a standardized JSON object containing everything needed for decryption (except the password).

Output FormatJSON

                            {
                                "v": 1,
                                "iter": 2000000,
                                "ks": 256,
                                "ts": 128,
                                "mode": "gcm",
                                "adata": "",
                                "cipher": "aes",
                                "salt": "m+F8a...",
                                "iv": "9d8f...",
                                "ct": "Xy7z..."
                            }
                        

Workflow: Step-by-Step Guide

Here is the recommended workflow for creating a "Cold Storage" backup of sensitive text.

Step 1: Initialize

Navigate to the Terminal tab. Ensure the red status light indicates "AIR-GAPPED". For absolute certainty, disable your device's Wi-Fi.

Step 2: Input & Buffer

Type or paste your data into the terminal buffer. The field has autocomplete="off" and spellcheck disabled to prevent your OS from caching fragments of the text in system dictionaries.

Step 3: Lock It Down

Enter a strong Local Passphrase. If you leave this blank, the system will generate a random 10-character alphanumeric key for you.

Step 4: Export

Click "Copy JSON" to move the encrypted blob to your clipboard, or click the download button to save it as a .dat file.

You can now safely email this .dat file, store it on a USB drive, or upload it to Google Drive. Without the passphrase, the file is statistically indistinguishable from random noise.

Paranoid Mode

For users defending against state-level actors or massive supercomputer clusters, the Terminal offers a toggle called Paranoid Mode.

Mode Standard 600k Iterations

Mode Paranoid 2M Iterations

Cost CPU Load HIGH LATENCY

Standard: Uses 600,000 PBKDF2 iterations. This is industry standard and resistant to generic brute force. It is fast on mobile devices.

Paranoid: Increases iterations to 2,000,000. This dramatically increases the computational cost to derive the key.

The Trade-off: Encryption and decryption will take noticeably longer (1-3 seconds depending on device). This delay is intentional; if it takes your phone 3 seconds to guess one password, it will take a hacker's cluster centuries to guess trillions.