Answers to Common Questions

VaultNX is a Windows desktop application that encrypts your files and stores them on a NAS (Network Attached Storage) device. Every file is individually encrypted with AES-256-GCM before it leaves your machine. No plaintext ever touches the NAS. It operates entirely on your local network — there is no cloud component.

No cloud subscription is required. VaultNX operates entirely on your local network between your Windows machine and NAS. An internet connection is only required during initial license activation (a one-time, seconds-long call to our license server). After that, the app works fully offline for 35 days before a background check-in is needed.

No. VaultNX never uploads your files to any cloud service. Your encrypted files live exclusively on the NAS you own and control. We provide the encryption software and license management only.

VaultNX supports any file type and has no hard file size limit other than available NAS storage. Each file is encrypted individually, so large files are streamed rather than buffered entirely in RAM. Encrypted files use the .avd extension and are stored in your vault's root folder on the NAS.

Any NAS that exposes an SMB 2.x or 3.x share accessible from your Windows machine is supported. This includes Synology DSM (6 and 7), QNAP QTS / QuTS hero, WD My Cloud, Seagate NAS OS, TrueNAS Core/Scale, Asustor ADM, Buffalo TeraStation, and Windows Server file shares. If it has an SMB share and you can enter a hostname, share name, username, and password — it will work.

No. VaultNX uses SMBLibrary to open a direct, private SMB session to the NAS. No drive letter is assigned, no UNC path appears in File Explorer, and no credentials are cached by the Windows Credential Manager. The connection is entirely private to the VaultNX process.

Windows 10 version 21H2 or later (64-bit) and Windows 11 (all editions). Windows Server 2019 and 2022 are also supported for server installations. The .NET 8 runtime is bundled with the installer — no separate runtime installation is required.

The installer requires administrator privileges to register the startup registry entry and install to Program Files. After installation, VaultNX runs under your standard user account. Elevated privileges are not required during normal operation.

Yes. Windows Server 2019/2022 is supported. Virtual machines are supported provided the VM has network connectivity to the NAS and a stable Windows identity for machine binding. Windows Hello biometric may not be available in VMs without passthrough hardware, but the master password unlock path always works.

Each license key has a defined seat count. When a machine activates the key, it claims one seat. The activation is bound to a SHA-256 hash of the machine's Windows MachineGuid — a stable hardware identifier set at OS install. If you exceed the seat count, activation is rejected until a seat is freed. Seats can be released manually from the admin panel or by deactivating from the app's Settings → License screen.

If you replace hardware or reinstall Windows, the MachineGuid changes and the new machine will need to claim a seat. Deactivate first from the old machine if possible (Settings → License → Deactivate). If the old machine is gone, an admin can force-release the seat from the license admin panel without touching the end-user machine.

Yes. After activation, the signed license token is stored locally. If the license server is unreachable, the app operates in offline mode for up to 35 days before an online check-in is required. Check-ins happen silently in the background every 7 days. If your environment has no internet access, contact us for an extended offline grace arrangement.

Yes. Deactivate on the old machine (Settings → License → Deactivate) to free the seat, then activate on the new machine. If you can't deactivate from the old machine, an admin can release the seat from the license admin panel.

When a license expires, the app enters a 14-day grace period. During grace, the vault remains accessible but a renewal warning is shown. After the grace period, the vault is locked until a renewed or new license is activated. Your encrypted data is not deleted or modified — it remains on your NAS and is accessible immediately upon license renewal.

The trial key activates the full Standard edition with all features unlocked. The only difference is it expires after 30 days and is limited to 1 seat. When you purchase a full license, activate it in Settings → License and the trial restriction is removed. Your vault data is preserved with no re-encryption.

The encryption key is derived from your master password on each unlock using Argon2id and is held only in memory while the vault is open. It is never written to disk. When the vault is locked, the key is zeroed from memory. Your NAS password is stored encrypted via Windows DPAPI (bound to your Windows user account — useless to anyone else on the machine or anyone who steals the hard drive).

There is no password recovery mechanism by design. The master password is the sole root of the encryption key. If it is forgotten, the vault contents cannot be recovered. This is intentional — a recovery backdoor would be a security vulnerability. We strongly recommend keeping a secure record of your master password (e.g. in a dedicated password manager).

No. Your files are encrypted client-side before leaving your machine. We have no knowledge of your master password, no access to your NAS, and no copy of your encryption key. Even if our license server were fully compromised, your vault data would remain inaccessible.

The audit log records every security-relevant event: vault unlock attempts (success and failure), vault lock, file upload / download / delete, folder create / delete, NAS connection and disconnection, vault creation, settings changes, license activation and check-in, and application start/stop. Each entry has a UTC timestamp. The log is append-only and rotates at 10 MB. It is stored locally at %APPDATA%\VaultNX\audit.log.

All files on the NAS are AES-256-GCM encrypted. Without your master password and the corresponding Argon2id key derivation, the files are computationally indistinguishable from random noise. The vault manifest (index) is also encrypted. A stolen NAS yields nothing useful to an attacker.