VaultGuard Documentation

A secure, AES-256 encrypted password vault built right into your WordPress dashboard. Store credentials behind a master password that never leaves your control — only you can unlock your vault.

Overview

VaultGuard is a self-hosted password manager that lives inside your WordPress admin. It stores credentials — logins, API keys, license keys, secrets — encrypted with AES-256, locked behind a master password that you set and that is never written to the database. Without that master password, the encrypted data is unreadable, even to someone with full database access.

Each vault is locked with its own master password and encryption key, and no user can ever see another user's entries. VaultGuard supports two access modes: admin-only (each administrator gets their own private vault) and per-user (every logged-in user gets their own vault). Which modes are available depends on your plan.

VaultGuard is licensed per-site through your Boulley Technology account using a key in the format VGxx-XXXX-XXXX-XXXX-XXXX. Lite runs in admin-only mode with up to 50 entries on one site. Plus (3 sites) and Pro (unlimited sites) add unlimited entries and per-user vaults. Categories, favorites, the password generator, and encrypted JSON import/export are included in every plan. Until a license is activated, the vault runs in a limited mode (up to 15 entries, admin-only).

Installation

Download VaultGuard from your Boulley Technology account or the link in your purchase confirmation email. In WordPress, go to Plugins › Add New › Upload Plugin, select the vaultguard.zip file, and click Install Now, then Activate.

On activation, VaultGuard creates its database tables and generates a unique site salt — a random value stored in your WordPress options that is mixed into every encryption key. This means even two sites using the same master password produce completely different encryption keys.

Once activated, open Tools › VaultGuard to set up your vault. VaultGuard requires PHP 7.4+ and WordPress 5.0+.

HTTPS strongly recommended. Because revealing or copying a password sends the decrypted value from the server to your browser, you should always run VaultGuard on a site served over HTTPS so that traffic cannot be intercepted.

Master Password

The first time you open VaultGuard, you will be prompted to create a master password (minimum 8 characters). This password is the key to your entire vault. It is never stored anywhere — VaultGuard only keeps a one-way verification hash so it can confirm you typed it correctly. The actual encryption key is derived from your password on the fly each time you unlock.

Once set, your vault is unlocked for the duration of your session. When you click Lock, navigate away, or your session ends, the derived key is discarded from memory and you must re-enter the master password to regain access.

There is no recovery. If you forget your master password, your stored passwords cannot be decrypted by anyone — including us. This is by design: it is what makes the vault secure. Choose a strong master password you will remember, and consider keeping a secure offline backup of it.

Unlock Protection

To defend against brute-force guessing, VaultGuard locks unlocking after 5 incorrect attempts for 15 minutes. The lockout is tracked per session and resets automatically once the timer expires or after a successful unlock.

Adding & Managing Entries

With the vault unlocked, click New Entry to store a credential. Each entry has the following fields:

Field	Required	Notes
Title	Yes	A label for the entry, e.g. "GitHub" or "AWS Console".
Username / Email	No	The login identity. Stored in plain text (it is not the secret).
Password	Yes	The secret. Encrypted with AES-256 before it touches the database.
URL	No	The login page. Shown as a clickable host link in the list.
Category	No	Group related entries into categories (requires an active license; otherwise a single "general" category is used).
Favorite	No	Pin important entries to the top of the list (requires an active license).
Notes	No	Free-form notes. Stored alongside the entry.

Click the edit (pencil) icon on any row to update it. When editing, leave the password field blank to keep the existing password — only enter a value if you want to change it. Click the trash icon to delete an entry permanently.

Use the search box to instantly filter the list by title, username, URL, or category as you type.

Entry limits. Before a license is activated the vault holds up to 15 entries; Lite raises this to 50. Plus and Pro are unlimited. When you reach your limit, the quota banner turns red and creating new entries is blocked until you upgrade or remove some entries.

Revealing & Copying Passwords

For security, passwords are shown as dots (••••••••) by default. Each row has three quick actions:

Show / hide (eye icon) — decrypts and reveals the password inline. Click again to hide it.
Copy password (page icon) — decrypts and copies the password straight to your clipboard without ever displaying it.
Copy username (user icon) — copies the username to your clipboard.

Decryption happens on the server only when you request it, and only for the specific entry you act on. The plaintext is never rendered into the page until you explicitly reveal or copy it.

Categories & Favorites

With a Pro license you can assign each entry a category — for example "Hosting", "Social", or "Clients". A category filter bar appears above the table whenever you have more than one category, letting you narrow the list with a single click.

You can also mark entries as favorites by clicking the star icon. Favorites are sorted to the top of the list so your most-used credentials are always within reach.

Password Generator

When adding or editing an entry, a generate (shuffle) button appears next to the password field. Click it to instantly create a strong 20-character password using a cryptographically secure random source in your browser. The generated password is filled into the field and copied to your clipboard so you can paste it into the service you are setting up.

The generator avoids visually ambiguous characters (such as l, 1, O, and 0) and mixes upper- and lower-case letters, digits, and symbols.

Import & Export

Pro vaults can be exported to and imported from JSON. With the vault unlocked, click Export to download a JSON file containing all your entries. Click Import and choose a JSON file to add entries into your vault.

The export format is a simple object with a meta block and an entries array:

{ "meta": { "plugin": "vaultguard", "version": "1.0.0", "exported_at": "2026-05-31T12:00:00+00:00" }, "entries": [ { "title": "GitHub", "username": "you@example.com", "password": "correct-horse-battery-staple", "url": "https://github.com", "notes": "", "category": "dev", "favorite": 1 } ] }

On import, each entry's password is re-encrypted with your vault's key. You can import a plain array of entry objects too — the meta wrapper is optional.

Exports contain plaintext passwords. The downloaded JSON is not encrypted, so anyone who opens the file can read every password. Treat an export file like the passwords themselves: store it somewhere secure, and delete it as soon as you are done with it.

Access Modes

VaultGuard supports two ways of deciding who can use the vault:

Admin-only mode — restricts VaultGuard to administrators. Each administrator still gets their own private, separately-encrypted vault; the menu and all vault functions are unavailable to non-administrators. This is how Lite runs.
Per-user mode — every logged-in user gets their own private vault with its own master password. Vaults are completely isolated; no user can see another's entries, and each is encrypted with a separate key.

Per-user vaults are a Plus-and-up feature. Lite (and the pre-activation limited mode) run in admin-only mode. On Plus and Pro you choose the mode from Tools › VaultGuard › Settings (per-user is the default).

Changing the Master Password

To change your master password, unlock the vault and click Change Master Password. Enter your current password, then the new one twice. VaultGuard verifies the current password, derives a new key, and re-encrypts every entry in your vault with the new key in a single operation. Your session is updated automatically, so you stay unlocked.

Because the change re-encrypts everything, all your existing entries remain accessible under the new password immediately.

How Encryption Works

VaultGuard is built so that your stored passwords are useless to anyone without your master password — including anyone who steals a copy of your database.

Cipher: passwords are encrypted with AES-256-CBC, using a fresh random initialization vector (IV) for every entry.
Key derivation: the encryption key is derived from your master password with PBKDF2-HMAC-SHA256 at 100,000 iterations, which makes brute-forcing the master password extremely slow.
Per-user salt: each user has a unique random salt, so identical master passwords across users never produce the same key.
Per-site salt: a site-wide random salt is mixed in as well, so a database copied to another server cannot have its keys derived without that site's salt.
No stored key: the master password and the derived key are never written to disk. Only a one-way verification hash is stored. The derived key exists only in the PHP session while the vault is unlocked, and is discarded on lock.

What this means in practice: if an attacker dumps your database, they get only ciphertext, random salts, and a verification hash — none of which reveals a single password without your master password.

License Activation

VaultGuard requires a license. Lite unlocks up to 50 entries with an admin-only vault; Plus and Pro unlock unlimited entries and per-user vaults. Until a license is activated, the vault is limited to 15 entries in admin-only mode.

Go to Tools › VaultGuard › Settings, enter your license key (format: VGxx-XXXX-XXXX-XXXX-XXXX) under License, and click Activate. The key is validated against the Boulley Technology license server and bound to your domain. Your plan's features unlock immediately.

To move VaultGuard to another site, click Deactivate License first to free the key. You can also manage activations from the Boulley Technology account portal.

Troubleshooting

"Vault is locked" errors

This means your session no longer holds the derived key — usually because you logged out, your session expired, or the vault was locked in another tab. Simply re-enter your master password to unlock. If it happens unexpectedly often, check whether a caching or session plugin is clearing PHP sessions for logged-in admin requests.

Copy to clipboard does nothing

Browsers only allow clipboard access on secure origins. If your site is served over plain HTTP, the clipboard API is blocked and copy actions will fail silently. Serve the site over HTTPS to enable reliable copying.

Features not appearing after activation

License status is cached for up to 24 hours. After activating, reload the VaultGuard page. If features still don't appear, deactivate and re-activate the license from the Settings tab, and confirm your site can reach boulleytechnology.ca over outbound HTTPS.

Forgotten master password

There is no way to recover a forgotten master password — the vault cannot be decrypted without it. The only path forward is to delete your master-key record and start a new vault, which permanently discards the old encrypted entries. Contact support if you need guidance, but be aware that the existing entries are unrecoverable by design.

FAQ

Can Boulley Technology or my host read my stored passwords?

No. Passwords are encrypted with a key derived from your master password, which is never stored or transmitted. We never see it, and neither does your host — the database only contains ciphertext, salts, and a one-way verification hash. Without your master password, the data cannot be decrypted by anyone.

Does each WordPress user get a separate vault?

Yes. In the default per-user mode, every logged-in user has their own vault, their own master password, and their own encryption key. Vaults are fully isolated — no user can view or decrypt another user's entries. Administrators can switch to admin-only mode to restrict the vault to administrators.

What happens to my entries if I deactivate the plugin?

Deactivating the plugin leaves your data in the database untouched — reactivating restores access to everything. Your encrypted entries, master-key record, and site salt remain in place. (Deleting the plugin does not drop the tables automatically, so your data is safe across updates.)

Can I migrate my vault to another site?

Use the Pro Export feature to download your entries as JSON, then Import them on the new site after setting up a master password there. Because each site has its own site salt, you cannot simply copy the database rows between sites and expect them to decrypt — export/import re-encrypts the data with the destination vault's key.

What can I do before activating my license?

Until you activate a license, VaultGuard runs in a limited mode — up to 15 entries (admin-only) with the core fields (title, username, password, URL, notes), a single category, and the built-in password generator. Activating a license unlocks categories, favorites, and import/export on every plan; Lite raises the cap to 50 entries, while Plus and Pro make entries unlimited and add per-user vaults.

Support

If you run into anything that isn't covered here:

Submit a support ticket at boulleytechnology.ca/support.php
Email support at support@boulleytechnology.ca
General inquiries: info@boulleytechnology.ca

License holders get priority response. We typically reply within a few hours during business hours.