SCSA Vault
Sealing a file
How to seal and open files with SCSA Vault.
Seal a file
- Open SCSA Vault.
- Drag a file (or folder) onto the window, or click Seal.
- Choose what to bind to: CPU, GPU, or both (see Hardware binding).
- Optionally add a passphrase as a second factor on top of the hardware binding.
- Vault writes a sealed
.scsafile next to the original. The original is left untouched — delete it yourself once you have verified the sealed copy opens.
The sealed file is ciphertext bound to the machine's measurement. On any other machine it contains nothing recoverable.
Open a sealed file
- On the same machine it was sealed to, drag the
.scsafile onto Vault. - Vault re-measures the hardware and derives the key. If the measurement matches, the file decrypts.
- If you set a passphrase, enter it — it is required in addition to the hardware match, never instead of it.
A sealed file opens only on the hardware it was bound to. If you need a file on a second machine, seal a copy to that machine as well, or use a GPU binding on an attested GPU both machines can reach.
What a seal contains
- Ciphertext under an AEAD cipher, keyed by a hardware-derived key.
- The binding policy (CPU / GPU / both, passphrase on/off).
- No plaintext, and no copy of the key.