𓃠 π“‚€ 𓆣 𓇯 π“‹Ή π“ŠΉ 𓁹 𓃠 π“‚€ 𓆣 𓇯 π“‹Ή π“ŠΉ π“ŠΉ 𓁹 𓃠 π“‚€ 𓆣 𓇯 π“‹Ή π“ŠΉ 𓁹 𓃠 π“‚€ 𓆣 𓇯
𓃠 π“‚€ 𓆣 𓇯 π“‹Ή π“ŠΉ
Sacred Cipher Engine
πŸ”’
𓃠 π“‚€ π“ŠΉ 𓆣 𓇯 π“‹Ή
π“‹Ή
πŸ‘οΈ

The PIM modifies the number of cryptographic iterations. Using a wrong PIM will generate a completely different cipher. Range: 1 to 32 digits.

Adds exactly this number of characters to the final cipher (0–9999). Deterministic: same value β†’ same extension. 0 = original behavior unchanged.

⚠ Please enter a secret phrase and a valid PIM.

Invoking Bastet...

      

      

    

    

  

  


  

    

    

      

        
          
            
              
              
            
          
          
          
          𓆣
          
        
      

      

        
Sacred Vault β€” Archive Manager

        
AES-256-GCM Β· PBKDF2-HMAC-SHA512 Β· deflate-raw Β· .bca format Β· 100% local

      

    

    

      
      
      
    

    

      

        𓁹
        
Drag files here or click to select

        
You can select multiple files Β· Max 100 files Β· any format

        
      

      

      

        
        
      

      
      

      

      

        

        
Waiting...

      

      

        ✦ AES-256-GCM
		✦ AES-256-CBC
        ✦ PBKDF2-HMAC-SHA512
        ✦ 200k+ iterations
        ✦ deflate-raw
        ✦ IV random 96-bit
        ✦ Salt random 256-bit
      

    

    

      

        π“ŠΉ
        
Drag the .bca file here or click

        
BastetCipher Archive (.bca)

        
      

      

        
        
      

      
      

      

      

        

        
Waiting...

      

      

        ✦ GCM/CBC Auth tamper verification
        ✦ Wrong password β†’ immediate rejection
        ✦ Standard .zip output
        ✦ This time written to disk
      

    

    

      

        𓇯
        
Drag the .bca file here or click

        
BastetCipher Archive (.bca) β€” will be opened in memory, no data written to disk

        
      

      

        
        
      

      
      

      

      

        

        
Waiting...

      

      
      
      

        ✦ Solo In-Memory
        ✦ No disk writes
        ✦ BlobURL revoked after loading
        ✦ RAM wiped on close
        ✦ Secure iframe/blob sandbox
      

    

    

      
⚠ Best Practices β€” Operational Security

      

        

          
πŸ”΄ Disable Hibernation

          

            When the PC hibernates, the entire RAM is written to disk.

            Any data open in the Vault would end up in the hibernation file.


            Windows: powercfg /h off

            macOS: sudo pmset -a hibernatemode 0

            Linux: remove the resume= line from GRUB and disable the swap partition from hibernation.
          

        

        

          
πŸ”΄ Disable Swap / Virtual Memory

          

            If RAM is full, the system may move memory pages to disk (swap/pagefile).

            This can include decrypted data even without hibernation.


            Windows: System β†’ Advanced system settings β†’ Performance β†’ Virtual Memory β†’ No paging file.

            macOS: Swap is managed automatically; use FileVault to encrypt the disk, so swap is encrypted.

            Linux: sudo swapoff -a (temporary) or remove swap lines from /etc/fstab.
          

        

        

          
🟑 Encrypt the disk (if swap cannot be disabled)

          

            If you cannot disable swap, make sure the entire disk is encrypted.

            This way even data that ends up in the swap remains inaccessible without the boot key.


            Windows: VeraCrypt (BitLocker not recommended)

            macOS: FileVault 2

            Linux: LUKS con dm-crypt
          

		  
		   

            β„Ή
            

              Why not BitLocker?
              It is closed source and cannot be independently verified.
              By default, Windows uploads the recovery key
              to your Microsoft account β€” on third-party servers outside your control.
              Microsoft is subject to US legislation (FISA, NSL) which can compel
              the handover of data and keys with secrecy obligations toward the end user.
              VeraCrypt is open source, subjected to public independent audits,
              no account, no cloud and no keys on external servers.
              The choice is yours β€” but now you know.
            

          

		  
        

        

          
🟑 Securely delete the original files

          

            After creating the .bca archive, delete the original unencrypted files with a multi-pass secure deletion to make them unrecoverable even with forensic tools.


            Windows: Eraser (algoritmo Gutmann 35 passate o DoD 5220.22-M)

            macOS: rm -P file or Permanent Eraser

            Linux: shred -vuz -n 35 file (Gutmann) or wipe, alternatively with peazip


            ⚠ On SSD/NVMe, secure overwrite deletion is less reliable due to wear leveling β€” use full disk encryption as primary protection (otherwise you would need to wipe free space and overwrite the entire disk every time, risking premature wear).