| Internet-Draft | SMVF | January 2026 |
| Keskilammi | Expires 7 July 2026 | [Page] |
The Secure Mobile Vault Format (SMVF) defines a binary container format for storing encrypted password vaults on mobile devices. The format is designed to be offline-first, zero-knowledge, cryptographically robust, and forward-compatible. SMVF specifies strict structural layout, authenticated encryption, and deterministic metadata handling suitable for constrained mobile environments.¶
This note is to be removed before publishing as an RFC.¶
Source for this draft and an issue tracker can be found at https://github.com/voyager-2021/smv-specification.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 July 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress".¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents.¶
The Secure Mobile Vault Format (SMVF) defines a binary container format for storing encrypted password vaults on mobile devices. The format is designed to be offline-first, zero-knowledge, cryptographically robust, and forward-compatible.¶
SMVF follows strict principles including explicit headers, typed sections, cryptographic framing, and strict versioning, while remaining minimal and suitable for mobile environments.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
The format is designed to meet the following goals:¶
Provide zero-knowledge encryption where vault contents cannot be recovered without the master password.¶
Support offline-only operation with no network dependencies.¶
Be safe for mobile storage, including crash-safe atomic updates.¶
Use authenticated encryption to ensure confidentiality and integrity.¶
Allow future evolution without breaking existing vaults.¶
Remain auditable and deterministic in layout.¶
An SMVF file consists of the following components, in order:¶
File Header (fixed-size)¶
KDF Parameters Section¶
Crypto Parameters Section¶
Encrypted Vault Section¶
Optional Footer¶
All multi-octet integer fields are encoded in network byte order (big-endian). The file is tightly packed and contains no padding.¶
The standard file extension is ".smvf".¶
The file header is a fixed-size structure of 32 octets.¶
The header contains the following fields:¶
Magic (4 octets) Identifies the file as an SMVF container. The value MUST be the ASCII string "SMVF".¶
Major Version (2 octets) Indicates the major format version. Readers MUST reject files with unsupported major versions.¶
Minor Version (2 octets) Indicates backward-compatible revisions.¶
Header Length (4 octets) Total length in octets of all sections except the Encrypted Vault Section length preceding the encrypted payload.¶
Flags (4 octets) Bitmask defining file properties.¶
File UUID (16 octets) Randomly generated UUID version 4 identifier as defined in [RFC9562]. This value is non-secret and MUST NOT be reused.¶
The following header flags are defined:¶
Sections follow a typed-length-value (TLV) model.¶
Each section consists of:¶
The section length specifies the length of the section value only.¶
Unknown section types MUST be skipped using the length field. The section order defined in this specification MUST be preserved.¶
The following section types are defined:¶
0x0001: KDF Parameters Section (REQUIRED)¶
0x0002: Crypto Parameters Section (REQUIRED)¶
0x0003: Encrypted Vault Section (REQUIRED)¶
0x0004-0x7FFF: Reserved for future use and MUST NOT be used¶
No section identifier may be reused for a different purpose.¶
This section defines how the encryption key is derived from the master password.¶
The section value contains the following fields:¶
KDF Algorithm (1 octet)¶
Salt Length (1 octet)¶
Salt (variable length)¶
Cost Parameter A (4 octets)¶
Cost Parameter B (4 octets)¶
Cost Parameter C (4 octets)¶
The following KDF Algorithm identifiers are defined:¶
0x03-0x7F: Reserved for future use and MUST NOT be used¶
The salt is not secret and MUST be generated randomly per vault.¶
For Argon2id, the parameters are defined as follows:¶
For scrypt, the parameters are defined as follows:¶
Implementations SHOULD tune parameters for mobile hardware while maintaining resistance to offline attacks.¶
This section defines the encryption algorithm and parameters used to protect the vault payload.¶
The section value contains the following fields:¶
Cipher Algorithm (1 octet)¶
Key Length (1 octet)¶
Nonce Length (1 octet)¶
Authentication Tag Length (1 octet)¶
Nonce (variable length)¶
The following Cipher Algorithm identifiers are defined:¶
0x03-0x7F: Reserved for future use and MUST NOT be used¶
For AES-256-GCM and ChaCha20-Poly1305, the Key Length MUST be 32 octets.¶
Implementations MUST ensure that a nonce is never reused with the same derived key. The authentication tag is embedded in the AEAD ciphertext and is not stored separately.¶
This section contains the encrypted vault payload.¶
The payload is produced using an AEAD construction with the following inputs:¶
The encryption key is derived from the master password using the KDF Parameters Section.¶
The nonce is taken from the Crypto Parameters Section.¶
The additional authenticated data consists of the File Header, the KDF Parameters Section, and the Crypto Parameters Section.¶
All metadata is authenticated but not encrypted. Any modification to these components MUST cause decryption failure.¶
The AAD input MUST be the exact serialized octet sequence of the File Header followed by the serialized KDF Parameters Section and the serialized Crypto Parameters Section, in file order.¶
Before encryption, the vault payload is serialized JSON as defined in [RFC8259]. All JSON strings MUST be encoded in UTF-8.¶
No canonicalization of the JSON payload is required, as integrity is provided by the enclosing AEAD construction.¶
The top-level object contains the following fields:¶
Each vault entry is a [RFC8259] JSON object containing the following fields:¶
type: Entry type identifier¶
title: Human-readable name¶
fields: Key-value mapping of entry fields¶
notes: Optional freeform text¶
tags: Optional array of strings¶
The type field allows future extension to support non-password secrets.¶
The format relies exclusively on AEAD for security guarantees.¶
The following properties are provided:¶
Confidentiality of vault contents¶
Integrity of vault contents¶
Integrity and authenticity of metadata¶
No separate MAC or digital signature is required.¶
Implementations MUST perform updates atomically to prevent vault corruption.¶
A recommended procedure is as follows:¶
Write the updated vault to a temporary file.¶
Flush and synchronize the file.¶
Atomically rename the temporary file over the existing vault.¶
Optionally retain a backup copy.¶
Mobile operating systems guarantee atomic rename operations within the same filesystem.¶
Implementations MUST enforce the following requirements:¶
Readers MUST reject files with unsupported major versions.¶
Readers MUST ignore unknown section types.¶
Writers MUST preserve section ordering and MUST NOT reuse section identifiers.¶
The format intentionally excludes:¶
The format mitigates:¶
The format does not mitigate:¶
This document has no IANA actions.¶
This document specifies a cryptographic container format intended to protect sensitive data at rest. Security properties and assumptions are discussed throughout the document, including key derivation, authenticated encryption, and memory handling requirements.¶
The format assumes a trusted execution environment and does not protect against compromised operating systems, runtime memory disclosure, or malicious software with sufficient privileges. Implementers are responsible for selecting appropriate cryptographic parameters and ensuring correct use of underlying cryptographic primitives.¶