How LocalMask handles your code and secrets. Last updated 2026-07-10.
| Data | Where it lives |
|---|---|
| Your source code | Never uploaded. Scanned in place. |
| Real secret values | Local encrypted vault (~/.localmask/vault.sqlite, file mode 0600). Never transmitted. |
| Token ↔ value mapping | Local only. Rehydration happens on your machine. |
| Detection feedback | Stored hashed (salted), local, git-ignored. |
| License key | Validated offline (Ed25519 signature). No activation server call. |
Two Pro features make an outbound call, both opt-in and both sending masked tokens only, never the real values:
Audit logs record only event types and counts — never secret values.
LocalMask never phones home on its own. It checks for a newer version only
when you explicitly run localmask check-updates (or view
localmask license), by fetching a small public
latest.json. Scanning makes no network request.
Paid editions ship readable source (source-available) — you can review every line that runs against your code. Paid capabilities unlock only with a cryptographically signed license; the signing key exists only on our server, so a license cannot be forged even with full source access.
Email security@localmaskpro.com. We aim to acknowledge within 72 hours.