Back up your laptop without trusting Dropbox, iCloud, or Backblaze with the keys to your data.
"Your laptop blew up. Now you're paying $9/month to a company that can read every file you ever wrote, so you can recover them next time. fallvault is a single HTML file that puts you back in charge."
fallvault walks any folder on your machine, embeds the files, encrypts the whole tree with your passphrase using AES-256-GCM (in your browser, via WebCrypto), then writes the result as a self-contained HTML file. Push the file to a private GitHub repo. Lose your laptop? Clone the repo on any machine, open the HTML, type your passphrase. Your files come back.
GitHub can't read it. Anthropic can't read it. The CIA can't read it (within polynomial time). Only your passphrase opens the vault.
| Provider | Monthly cost | Can read your files? | You own the tool? |
|---|---|---|---|
| Dropbox 2TB | $12 / mo | Yes (TOS §3.3) | No |
| iCloud 2TB | $10 / mo | Yes | No |
| Backblaze | $9 / mo | Yes (server-side enc) | No |
| Carbonite | $9 / mo | Yes | No |
| fallvault | £0 forever | No (client-side AES) | Yes (MIT · fork it) |
Tree-walks your folder. Auto-skips git repos, node_modules, media, binaries. Pure source / configs / notes.
AES-256-GCM with PBKDF2-derived key (200k iterations · SHA-256). Random salt + IV per chunk.
Splits into 90MB sovereign HTML files. Push to private GitHub. Restore anywhere.
Pick a small file, set a passphrase, watch the encryption happen client-side. Nothing leaves your machine — verify in Network tab.
# 1. clone
gh repo clone sjgant80-hub/fallvault
cd fallvault
# 2. set passphrase (PowerShell)
$env:FALLVAULT_PASS = "your-strong-passphrase-write-it-down"
# 3. vault a folder
node fallvault.mjs C:\Users\you\Downloads
# 4. push the encrypted output to a PRIVATE github repo
cd fallvault-out
gh repo create your-user/fallvault-private --private --source=. --push
That's it. From now on, anytime you want a fresh backup, run step 3 + 4 again. Schedule it nightly via Task Scheduler / cron if you want.
Customize via env vars: FALLVAULT_SKIP, FALLVAULT_MAX_FILE, FALLVAULT_MAX_CHUNK, FALLVAULT_SKIP_GIT.
AES-256-GCM is the modern gold standard. PBKDF2-SHA256 with 200,000 iterations meets OWASP 2023 guidance. Salt and IV are 16/12 bytes random per chunk. Auth tag is 16 bytes. The bottleneck is your passphrase — pick 5+ words or a long sentence.
No. By design. That's what makes it sovereign. Write your passphrase on paper. Put the paper in a safe.
Yes — Node 18+. The PowerShell commands above translate directly to bash (export FALLVAULT_PASS="...").
So you can restore from any device, ever, even if Node isn't installed. Phone, library kiosk, friend's laptop. Open the HTML in any modern browser. WebCrypto does the work.
No — by default it skips images/video/binaries because the use case is "if my laptop dies, can I rebuild my work." Configure FALLVAULT_MAX_FILE if you want bigger files included.
Yes. fallvault is one of 60+ sovereign tools in the AI Native Solutions estate. Same philosophy: single HTML files, you own them outright, no SaaS rent.
MIT licensed. Fork it, sell it, white-label it, modify it. The tool is yours.
Built by AI Native Solutions. Part of the sovereign estate. Source on GitHub.