App Lock

Purpose

App Lock is an optional local guard for the running EnvVault UI. When configured and locked, EnvVault shows the unlock screen instead of hydrating project metadata into the main app layout.

Setup

• Open Settings.
• Enter and confirm an app lock passphrase.
• The passphrase must be at least 10 characters.
• Optionally allow macOS unlock when device-owner authentication is available.
• Enable App Lock.

Unlock options

• Unlock with the configured app lock passphrase.
• Unlock with macOS LocalAuthentication when enabled.
• macOS unlock can use Touch ID when available, otherwise it falls back to device-owner authentication such as macOS password.

Settings controls

• Current state shows Not configured, Locked, or Unlocked.
• macOS auth, Touch ID, and macOS unlock availability are shown separately.
• Lock Now immediately returns EnvVault to the unlock screen.
• Disable App Lock removes the local app lock configuration.
• The macOS unlock toggle requires EnvVault to be unlocked before changing it.

Security boundary

• The passphrase verifier is Argon2id-hashed and stored through the app's named Keychain storage.
• App Lock protects the EnvVault UI and Keychain commands while the app is running.
• App Lock is not a replacement for FileVault or a fully encrypted SQLite database.
• Keep FileVault enabled for metadata-at-rest protection.