Skip to main content
Security is the foundation of bundl. This page explains how we protect your private keys and what you should do to stay safe.

Architecture Overview

┌─────────────────────────────────────────────────────────────┐
│                     YOUR DEVICE                              │
│  ┌─────────────────────────────────────────────────────┐   │
│  │                    bundl App                         │   │
│  │  ┌─────────────┐    ┌────────────────────────────┐  │   │
│  │  │  Master     │───▶│  AES-256-GCM Encryption    │  │   │
│  │  │  Password   │    │  Key Derivation (PBKDF2)   │  │   │
│  │  └─────────────┘    └────────────────────────────┘  │   │
│  │                              │                       │   │
│  │                              ▼                       │   │
│  │  ┌────────────────────────────────────────────────┐ │   │
│  │  │              Encrypted Vault                    │ │   │
│  │  │  • Private keys (encrypted)                     │ │   │
│  │  │  • Wallet labels                                │ │   │
│  │  │  • Address book                                 │ │   │
│  │  └────────────────────────────────────────────────┘ │   │
│  └─────────────────────────────────────────────────────┘   │
│                                                             │
│  📁 Local Storage Only - Never Uploaded                     │
└─────────────────────────────────────────────────────────────┘

                         ❌ NO CONNECTION TO ❌
                    ┌────────────────────────────┐
                    │    bundl Servers           │
                    │    Cloud Storage           │
                    │    Analytics/Tracking      │
                    └────────────────────────────┘

Core Security Principles

1. Local-Only Storage

Your private keys never leave your device. bundl stores all wallet data in an encrypted file on your local filesystem:
  • macOS: ~/Library/Application Support/com.bundl.desktop/
  • Windows: %APPDATA%\com.bundl.desktop\
  • Linux: ~/.local/share/com.bundl.desktop/
There are no servers. No cloud backup. No syncing. Your keys stay on your machine.

2. AES-256-GCM Encryption

All wallet data is encrypted with AES-256-GCM, the same encryption standard used by:
  • US Government (Top Secret classification)
  • Major banks and financial institutions
  • Password managers like 1Password and Bitwarden
The encryption key is derived from your master password using PBKDF2 with 100,000 iterations, making brute-force attacks computationally infeasible.

3. Zero-Knowledge Design

We never have access to:
  • Your master password
  • Your private keys
  • Your wallet addresses
  • Your transaction history
  • Any usage data
If you forget your master password, we cannot recover it. There is no “forgot password” flow.

4. Open Source

bundl’s code is open source. You can:
  • Audit the encryption implementation
  • Verify there’s no data exfiltration
  • Build from source yourself
  • Fork and modify as needed

Technical Details

Key Derivation

Master Password


   PBKDF2-SHA256
   (100,000 iterations)


   256-bit Key


   AES-256-GCM


   Encrypted Vault
Your master password is never stored. Only the derived key (in memory while the app is unlocked) is used.

Vault Format

The vault file (wallets.vault) is a JSON structure encrypted with AES-256-GCM: 
{
  "version": 1,
  "salt": "random-salt-for-key-derivation",
  "iv": "random-initialization-vector",
  "ciphertext": "encrypted-wallet-data"
}
The decrypted content contains: 
{
  "wallets": [
    {
      "id": "uuid",
      "label": "main-wallet",
      "publicKey": "8xK4...",
      "secretKey": [/* 64 bytes */]
    }
  ],
  "addressBook": [...],
  "settings": {...}
}

Memory Safety

bundl is built with Tauri (Rust backend):
  • No JavaScript access to raw private keys
  • Rust’s memory safety prevents common vulnerabilities
  • Keys are zeroed from memory when the app locks

Best Practices

Password Strength

Your master password is the only thing protecting your wallets. Choose wisely:

✅ Good Password

  • 16+ characters
  • Mix of upper, lower, numbers, symbols
  • Unique to bundl
  • Stored in a password manager

❌ Bad Password

  • Short (under 12 characters)
  • Common words or phrases
  • Reused from other sites
  • Written on a sticky note

Backup Your Keys

bundl encrypts your keys locally, but you should always have a backup:
  1. Export individual keys:
    • Click wallet → Menu (•••) → Export Private Key
    • Store the key securely (password manager, encrypted drive)
  2. Export all wallets (Pro):
    • Click [export] in the action bar
    • Choose CSV format with private keys
    • Store the file securely and delete after backing up
Never share your private keys. Anyone with your private key can steal all funds from that wallet.

Secure Your Device

bundl is only as secure as the device it runs on:
  • Keep your OS updated
  • Use full-disk encryption (FileVault, BitLocker)
  • Don’t install software from untrusted sources
  • Use a firewall
  • Be wary of phishing attempts

Lock When Away

Always lock bundl when you step away:
  • Press ⌘ L / Ctrl L
  • Or click the lock icon
The app automatically locks when closed.

What bundl Does NOT Protect Against

bundl cannot protect you from:
ThreatMitigation
Malware on your deviceKeep your OS updated, use antivirus
Physical access to unlocked appLock bundl when away
Phishing attacksVerify URLs, never share keys
Clipboard hijackingClear clipboard after copying addresses
Social engineeringNever share your password or keys
Lost/forgotten passwordStore password in a secure manager

Security Checklist

Before using bundl with significant funds:
  • Created a strong, unique master password
  • Stored password in a secure password manager
  • Exported and backed up private keys
  • Verified you’re using the official bundl app
  • Device has full-disk encryption enabled
  • OS and apps are up to date

Reporting Vulnerabilities

If you discover a security vulnerability:
  1. Do not disclose it publicly
  2. Email [email protected] with details
  3. We’ll respond within 48 hours
  4. Eligible reports may receive a bounty

Frequently Asked Questions

No. We never have access to your password. It’s only stored (encrypted) on your device. If you lose it, you lose access to your wallets.
Your wallet data is stored locally. If you haven’t backed up your private keys, they’re lost. Always export and backup your keys.
In many ways, yes:
  • No connection to websites (no phishing via dApp connections)
  • No browser vulnerabilities
  • Local-only storage
  • Native app (not running in browser sandbox)
No. When locked, the encryption key is cleared from memory. The vault file is just encrypted bytes.
No. The only network requests bundl makes are:
  • Solana RPC (to read blockchain data)
  • Helius API (for token metadata)
  • Jupiter API (for swaps, Pro only)
No data about you or your wallets is ever sent to bundl servers (because there are no bundl servers).