Cryptographic Features
Review the authenticated payload layer, password and keyphrase hardening, key separation, optional PQC protection, and chess metadata carrier.
Avikal combines authenticated payload encryption, user-secret hardening, key separation, optional post-quantum protection, and a Chess-PGN metadata carrier.
This page describes the documented feature set. It is not a formal security proof, and it should not be read as a guarantee that every configuration is equally appropriate for every threat model.
AES-256-GCM Payload Protection
Protected archive payloads use authenticated encryption. This protects confidentiality and detects tampering when the correct secrets are used.
In the archive format, encrypted file data is stored in payload.enc. The payload layer is separate from the metadata carrier used for routing and access material.
Argon2id Password Hardening
Passwords and keyphrases are hardened through Argon2id before being used in the key hierarchy.
This applies to user-provided secrets such as archive passwords and keyphrases. Strong user secret storage remains necessary because Avikal does not provide a recovery backdoor.
HKDF Key Separation
Avikal uses HKDF-based derivation labels to separate payload keys, metadata keys, PQC-derived keys, and time-gated key material.
Key separation is important because one derived key should not be reused for unrelated purposes.
Optional PQC Hybrid Protection
PQC mode uses OpenSSL-backed post-quantum primitives together with classical X25519 hybrid material. This reduces sole dependence on classical elliptic-curve security for PQC-enabled archives.
The landing page also names NIST post-quantum standards and the OpenSSL 3.5+ runtime as part of the product's post-quantum positioning. In the app workflows, PQC remains an optional protection mode selected during archive creation.
PQC Signature Validation
The PQC public bundle is authenticated before decapsulation. The app verifies the binding of PQC public material rather than relying on unauthenticated key material.
This matters for archives that include PQC protection because the public material used in the flow must be tied to the archive's expected key material.
Native Rust Crypto Runtime
Production crypto depends on the native Rust module. If the native crypto runtime is unavailable, the app is designed to fail closed instead of silently falling back to weaker runtime behavior.
Runtime status is visible in Settings so users can see whether critical local components are available.
Native Chess Codec Acceleration
Avikal encodes metadata into Chess-PGN form. The current implementation uses a fast native chess codec path for performance while keeping the PGN carrier and archive format compatible.
This is a format and performance detail, not a replacement for encryption.
Chess-PGN Metadata Carrier
keychain.pgn is the required metadata carrier inside .avk. It keeps Avikal's chess identity while still relying on cryptographic encryption for confidentiality when metadata is protected.
The chess record is part of the archive structure and product identity. It should not be described as the only security layer.