Desktop App

Last Updated: 2026-02-09

The cloak.business desktop application provides a local interface for secure document processing. Documents stay on your device, and only extracted text is sent for analysis.

Table of Contents#

1. Overview
2. Installation
3. How It Works
4. Features
5. Processing Documents
6. Encryption Keys
7. Presets
8. System Requirements

Overview#

The desktop app brings cloak.business functionality to your local machine. It is designed for users who prefer a native application experience or need to process sensitive documents without uploading full files to the cloud.

Key benefits:

• Documents remain on your device -- only extracted text is sent for analysis.
• Drag-and-drop support for quick document loading.
• Encrypted local vault for storing analysis history and encryption keys.
• Full access to all anonymization methods and presets.

Installation#

1. Go to cloak.business and navigate to the Downloads section.
2. Download the installer for your operating system.
3. Run the installer and follow the on-screen instructions.
4. Launch the application and sign in with your cloak.business account.

Platform Availability#

How It Works#

The desktop app processes documents in a privacy-focused pipeline:

1. Local file loading -- you select a file from your device. The file is opened and read locally.
2. Text extraction -- text is extracted from the document on your machine. The original file is never uploaded.
3. Analysis -- the extracted text is sent to the cloak.business analysis engine for PII detection.
4. Results -- detection results are returned to your desktop app.
5. Anonymization -- you choose anonymization methods and the text is anonymized.
6. Reconstruction -- the anonymized text is used to reconstruct the document locally on your device.

At no point is the original document file sent to or stored on cloak.business servers.

Features#

Drag and Drop#

Drag files directly from your file explorer into the application window. Multiple files can be dropped at once for batch processing.

Supported File Formats#

Zero-Knowledge Security#

The desktop app uses two independent encryption layers:

Layer 1 — Local Vault (AES-256-GCM) The vault stores history, API tokens, and encryption keys on your device:

• Key derived from your 24-word BIP39 recovery phrase via Argon2id (64 MB, 3 iterations)
• PIN quick-unlock: a separate Argon2id derivation (16 MB, 2 iterations) for faster access
• Encrypted with AES-256-GCM — only accessible with your recovery phrase or PIN
• If you reinstall without exporting your vault, locally-stored data is permanently lost

Layer 2 — ZK Authentication + Server Data (XChaCha20-Poly1305) When you log in, your password never leaves your device:

1. Your password + email produce a deterministic Blake2b salt
2. Argon2id (64 MB, 3 iterations) derives a 64-byte master key
3. HKDF-Blake2b derives 6 domain-separated 32-byte keys: auth, data-encryption, key-encryption (KEK), recovery, verification, session
4. Only SHA256(authKey) is sent to the server for login — never the key, never the password
5. Only SHA256(sessionKey) is sent once for session binding
6. Server-synced data (presets, entities) is encrypted with XChaCha20-Poly1305 using your data key — the server stores only ciphertext it cannot decrypt
7. All derived keys are zero-wiped from memory (ZeroizeOnDrop) when you log out

What the server never sees: your password, master key, or any of the 6 derived keys.

Encrypted Local Vault#

The vault stores the following data encrypted with AES-256-GCM:

• Analysis history -- past analyses saved locally for reference and deanonymization
• API token -- stored encrypted; never exposed to the UI layer
• Encryption keys -- keys used for the reversible Encrypt anonymization method
• The vault requires your recovery phrase or PIN to unlock — not your account password

All Anonymization Methods#

The desktop app supports all five anonymization methods:

• Replace, Redact, Hash, Encrypt, and Mask.
• Per-entity type configuration is available, just like the web app.

Processing Documents#

Step-by-Step#

1. Open the app and sign in with your cloak.business account.
2. Load a document by clicking Open File or dragging it into the window.
3. Select a preset or configure entity types manually.
4. Click Analyze to detect PII in the extracted text.
5. Review results -- detected entities are listed with types, values, and confidence scores.
6. Choose anonymization methods for each entity type or apply a global method.
7. Click Anonymize to produce the anonymized output.
8. Save the anonymized document to your device.

Token Usage#

The desktop app uses the same token balance as the web app. Text analysis consumes tokens based on character count. See the Token System guide for details.

Encryption Keys#

When using the Encrypt anonymization method:

• Your encryption key is stored in the local encrypted vault.
• Keys are associated with specific anonymization operations.
• You can retrieve keys later to deanonymize text.
• Back up your keys. If you lose access to the vault (e.g., by reinstalling the app without exporting keys), encrypted text cannot be recovered.

Presets#

The desktop app includes the same 220+ presets available in the web app:

• 88 country-specific presets
• 15 regional presets (EU, DACH, Nordic, APAC, MENA, etc.)
• Industry presets (GDPR, HIPAA, PCI-DSS, Finance, HR, Legal)
• Custom entity selection

Preset selection and entity configuration work identically to the web app. See Presets & Entity Configuration for details.

System Requirements#

The desktop app requires an active internet connection to perform PII detection. Document loading, text extraction, vault operations, and result reconstruction all happen locally on your device.