Overview
Travel Fortress is a split-knowledge encryption system designed for scenarios where you might be compelled to unlock your vault (border crossings, device inspections, coercive situations). It cryptographically separates sensitive credentials behind a separate PIN-derived key, making them inaccessible even with your master password.How it works
Mark sensitive items
Select which credentials, notes, and passkeys should be hidden during travel. These items are flagged as
travel_safe: false.Set a travel PIN
Choose a separate PIN. PassAgent derives a travel key from this PIN + a random salt using Argon2id (same parameters as your vault key).
Enable travel mode
Hidden items’ per-item keys are re-wrapped from your vault key to the travel key. The original vault-key wrapping is deleted. Your main vault key cannot access these items.
Travel
If compelled to unlock your vault, only non-sensitive items are visible. Hidden items are cryptographically inaccessible.
Split-knowledge architecture
| Component | Held by | Purpose |
|---|---|---|
| PIN | You (memory) | Useless without the salt |
| Salt | Server | Useless without the PIN |
| Travel key | Derived at runtime | Wraps hidden item keys |
| Vault key | Your master password | Cannot access hidden items |
Neither the PIN alone nor the salt alone can derive the travel key. Both components are required, providing split-knowledge security.
Duress PIN
You can set a separate duress PIN that, when entered:- Displays a convincing fake vault with decoy data
- Silently alerts your trusted contacts
- Logs a duress event in the audit trail
- Does not reveal your actual hidden items
Time-lock
Configure a time-lock (0-720 hours) that prevents disabling travel mode before the timer expires. This protects against being forced to immediately disable the fortress.Trusted contact approval
Optionally require a trusted contact to approve disabling travel mode. This adds a second layer of human verification before restoration.Protected data types
Travel Fortress protects items across these tables:- Passwords — vault credentials
- Secure notes — encrypted notes and documents
- Vault items — general vault entries
- Passkey credentials — WebAuthn passkeys
Cryptographic parameters
| Parameter | Value |
|---|---|
| KDF | Argon2id |
| Memory | 64 MiB (fallback: 32 MiB) |
| Iterations | 3 (fallback: 4) |
| Key length | 256-bit AES |
| Cipher | AES-256-GCM |
| IV | 12 bytes (96 bits) |
| Tag | 128 bits |
API reference
| Method | Endpoint | Description |
|---|---|---|
GET | /api/vault/travel-mode | Get status, time-lock, counts, trusted contact |
POST | /api/vault/travel-mode | Setup PIN, enable, disable, configure, mark items |
GET | /api/vault/travel-mode/hidden-items | Fetch items marked as hidden |