Add Vaults and Data Handling

Vaults-and-Data-Handling.md

@@ -0,0 +1,51 @@
+# Vaults and Data Handling
+
+This page summarizes how Project Journal handles encrypted vault storage and decrypted working data.
+
+## Storage Model
+
+- Encrypted vault files live in `journal/vault/`
+- Decrypted working files live in `journal/data/`
+- Vault format is monthly: `YYYY-MM.vault`
+
+## Encryption
+
+- AES-256-GCM for vault payload encryption
+- PBKDF2-HMAC-SHA256 key derivation
+- Encrypted payload layout: `salt + nonce + tag + ciphertext`
+
+## Vault Workflow
+
+### Load
+
+When loading vaults:
+
+1. Decrypted data workspace is cleared
+2. All monthly vaults are decrypted/extracted
+3. Journal files are available for active editing/search
+
+### Save
+
+Two save patterns exist:
+
+- Current-month optimized save (faster in-session saves)
+- Full vault rebuild from decrypted markdown files (comprehensive)
+
+## Security Notes
+
+- Decrypted files are intended to be temporary working data.
+- Graceful shutdown path clears decrypted workspace.
+- Keep backups of encrypted vault files, not decrypted data.
+
+## Operational Recommendations
+
+- Always run controlled shutdown to trigger cleanup.
+- Use strong vault passwords.
+- Store vault backups on trusted storage.
+- Test restore procedures periodically.
+
+## Related Source Files
+
+- `journal/core/storage.py`
+- `journal/core/encryption.py`
+- `journal/core/config.py`