From ef5e51da0a901de79c49f27ca965cc4f6105516d Mon Sep 17 00:00:00 2001
From: stan44 <stanton.e@gmail.com>
Date: Sat, 21 Feb 2026 23:30:56 -0600
Subject: [PATCH] Add Vaults and Data Handling

---
 Vaults-and-Data-Handling.md | 51 +++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 Vaults-and-Data-Handling.md

diff --git a/Vaults-and-Data-Handling.md b/Vaults-and-Data-Handling.md
new file mode 100644
index 0000000..3b3bb44
--- /dev/null
+++ b/Vaults-and-Data-Handling.md
@@ -0,0 +1,51 @@
+# Vaults and Data Handling
+
+This page summarizes how Project Journal handles encrypted vault storage and decrypted working data.
+
+## Storage Model
+
+- Encrypted vault files live in `journal/vault/`
+- Decrypted working files live in `journal/data/`
+- Vault format is monthly: `YYYY-MM.vault`
+
+## Encryption
+
+- AES-256-GCM for vault payload encryption
+- PBKDF2-HMAC-SHA256 key derivation
+- Encrypted payload layout: `salt + nonce + tag + ciphertext`
+
+## Vault Workflow
+
+### Load
+
+When loading vaults:
+
+1. Decrypted data workspace is cleared
+2. All monthly vaults are decrypted/extracted
+3. Journal files are available for active editing/search
+
+### Save
+
+Two save patterns exist:
+
+- Current-month optimized save (faster in-session saves)
+- Full vault rebuild from decrypted markdown files (comprehensive)
+
+## Security Notes
+
+- Decrypted files are intended to be temporary working data.
+- Graceful shutdown path clears decrypted workspace.
+- Keep backups of encrypted vault files, not decrypted data.
+
+## Operational Recommendations
+
+- Always run controlled shutdown to trigger cleanup.
+- Use strong vault passwords.
+- Store vault backups on trusted storage.
+- Test restore procedures periodically.
+
+## Related Source Files
+
+- `journal/core/storage.py`
+- `journal/core/encryption.py`
+- `journal/core/config.py`