Security Model

Local-Only Architecture

Every operation in PRISM runs entirely on your device. No certificates, private keys, CSRs, PFX files, or any other cryptographic material is ever transmitted to an external server. The only outbound network requests are a periodic version check and, optionally, direct API calls to a ClearPass server you configure.

Certificate Vault Modes

The Certificate Bundle feature lets you group lifecycle files (CSR, private key, signed certificate, chain, PFX) under one inventory entry. Three storage modes are available:

Metadata Only

No files are stored by the app. Certificate details (subject, issuer, expiry, SANs) are tracked in a local JSON database. Your files remain wherever you originally saved them.

Master Password Vault

• Key derivation: PBKDF2-SHA256 with 310,000 iterations and a 32-byte random salt per vault.
• Encryption: AES-256-GCM with a random nonce per file.
• Password verification: A known constant is encrypted and stored; correct password is confirmed by successful decryption — the password itself is never stored.
• Recovery: None. If you forget the vault password, the encrypted files cannot be decrypted by anyone, including the developer. There is no reset mechanism.
• Storage location: ~/Library/Application Support/tech.cmdlab.prism/vault/{entry-id}/ — file permissions set to 0600/0700.

Keychain Vault

• Key storage: A 256-bit AES key is generated once and stored in the macOS Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly.
• Sensitive files (private key, PFX): encrypted with AES-256-GCM using the Keychain key.
• Non-sensitive files (CSR, signed certificate, chain): stored as file path references — files remain in their original location on disk.
• Protection level: The vault key is accessible to any process running as your macOS user account when the screen is unlocked. Anyone with your macOS login credentials can access the vault.

Cryptographic Implementation

PRISM uses standard cryptographic libraries that are part of the macOS operating system. No custom cipher implementations, custom padding schemes, or non-standard key derivation functions are used. This means security properties depend on the correctness of these well-established, widely-audited system libraries — not on any code written specifically for PRISM.

What Is NOT Protected

• The inventory metadata database (inventory.json) is stored as plain JSON. It contains certificate details (subject, issuer, expiry, SANs) but not key material. File permissions are set to 0600.
• Path references in Keychain and Metadata Only modes point to files outside the app's vault. If those files are moved, deleted, or accessed by other processes, the app has no control over that.
• The app does not prevent screen capture, memory inspection, or access by processes running under the same user account.

Intended Use

PRISM is designed for individual practitioners and small teams managing certificates in development, staging, and professional environments. It is appropriate for storing private keys associated with certificates that can be revoked and reissued if compromised.

PRISM is not a replacement for a Hardware Security Module (HSM), enterprise Key Management System (KMS), or any system subject to compliance mandates (PCI-DSS, HIPAA, FedRAMP, etc.) that require dedicated key custody controls.

Developer Disclaimer