Aegiro

Local-only encrypted vault for macOS

Encrypt sensitive files locally with post-quantum key protection.

Aegiro protects files on-device with modern cryptography. No cloud dependency, no telemetry, and clear recovery workflows.

Download for macOSRead Technical Docs
  • Argon2id
  • AES-256-GCM
  • ChaCha20-Poly1305
  • Kyber512
  • Dilithium2

Trust highlights

Local-only by default

Vault and USB encryption flows run on your Mac with no network service required.

Post-quantum encryption scheme

Built for post-quantum resilience against harvest-now/decrypt-later threats.

Fully open source

Aegiro is entirely open source and available on GitHub for transparent review.

What You Can Do

Security primitives wired to practical workflows.

AGVT encrypted vault core

The runtime format uses a length-prefixed sequential layout: wraps, index, manifest, chunk map, then encrypted chunks.

CLI coverage for daily operations

Create/import/list/export plus doctor, verify, status, backup, and restore for maintainable vault operations.

Post-quantum recovery wrapping

APFS and USB container recovery bundles combine Kyber512 with Argon2id and AES-GCM wraps.

USB modes for mixed filesystems

Use APFS in-place encryption, portable encrypted sparsebundles, or usb-vault-pack for non-APFS user data.

USB Protection Options

Choose the mode that fits your drive.

Encrypt an APFS drive

apfs-volume-encrypt / apfs-volume-decrypt

Runs in-place APFS volume encryption through diskutil and saves a target-bound recovery bundle (*.aegiro-diskkey.json).

  • Best for dedicated APFS external drives
  • Encrypts the full volume at rest
  • Supports --dry-run and --force recovery-bundle workflows

Create a portable encrypted container

usb-container-*

Creates an encrypted APFS sparsebundle on exFAT/FAT/NTFS/APFS hosts plus a recovery bundle (*.aegiro-usbkey.json).

  • Best for cross-filesystem USB portability
  • Can open via recovery passphrase or --container-passphrase
  • Uses hdiutil AES-256 container encryption

Encrypt files on non-APFS USB drives

usb-vault-pack

Scans user files, skips system metadata paths, and packs content into an AGVT vault with optional --delete-originals cleanup.

  • Best for existing non-APFS USB folders
  • Dry-run mode previews file counts before encryption
  • Outputs one portable .agvt vault file

Screenshots & mockups

Clean workflows built for real use.

First Run mockup

First Run

Simple start screen to create a new vault or open one you already have.

Main Shell mockup

Main Shell

Main workspace with lock status, file browsing, and quick security actions.

USB Encryption Workspace mockup

USB Encryption Workspace

Dedicated USB Encryption page for APFS volume encrypt/decrypt, container workflows, and usb-vault-pack.

Download Options

Choose your installation path.

1. Direct app download

Download for macOS

Download a prebuilt app package for macOS with post-quantum key protection. Current builds are unsigned, so macOS may show a first-launch warning.

If you see “Aegiro” Not Opened, open System Settings > Privacy & Security, then in the Security section, click Open Anyway for Aegiro.

2. Open source: build it yourself

GitHub source

Build from source if you want full control, local verification, and transparent review of the code.