← LocalMask

Security & Threat Model

How LocalMask handles your code and secrets. Last updated 2026-07-10.

The one-sentence version: LocalMask runs entirely on your machine. Your source code and the real values of your secrets never leave it — detection, masking, and rehydration are all local.

What stays on your machine, always

DataWhere it lives
Your source codeNever uploaded. Scanned in place.
Real secret valuesLocal encrypted vault (~/.localmask/vault.sqlite, file mode 0600). Never transmitted.
Token ↔ value mappingLocal only. Rehydration happens on your machine.
Detection feedbackStored hashed (salted), local, git-ignored.
License keyValidated offline (Ed25519 signature). No activation server call.

The only thing that can ever leave — and only if you turn it on

Two Pro features make an outbound call, both opt-in and both sending masked tokens only, never the real values:

Audit logs record only event types and counts — never secret values.

Update discovery

LocalMask never phones home on its own. It checks for a newer version only when you explicitly run localmask check-updates (or view localmask license), by fetching a small public latest.json. Scanning makes no network request.

License integrity

Paid editions ship readable source (source-available) — you can review every line that runs against your code. Paid capabilities unlock only with a cryptographically signed license; the signing key exists only on our server, so a license cannot be forged even with full source access.

Reporting a vulnerability

Email security@localmaskpro.com. We aim to acknowledge within 72 hours.