How can I prevent my vault from being accessed by Vault Explorer and other CBFS Vault demo applications?

Here are a handful of strategies for preventing other CBFS Vault-based applications from accessing your Vault, in order from simplest to most complex:

  1. Employ whole-Vault encryption using CBFS Storage's built-in encryption mechanisms.
  2. Employ whole-Vault encryption using a custom encryption mechanism, such as PKI encryption.
  3. Use callback mode, and have your application perform some sort of transformation on the vault's pages on-the-fly (XORing, swapping page order, etc.).
  4. Some combination of the above.
Generally-speaking, the more complex your solution is, the less likely it is to be defeated. Using custom encryption and/or callback mode will prevent anyone from accessing your Vault unless they can reverse-engineer how your application implements the applicable events (and, in the case of encryption, obtain the information necessary to decrypt the data). But keep in mind that you may need to take additional steps (such as obfuscating your application's code) to guard against more experienced actors.

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at