QRK Product Docs
Advanced

Security

Security architecture and privilege handling

Profile Magician handles sensitive system operations. Here is how we ensure security.

Privileges

Profmage requires Administrator elevation. Internally, it enables specific Windows Privileges only when needed:

  • SeTakeOwnershipPrivilege: To modify ACLs on files owned by other users.
  • SeRestorePrivilege: To bypass write checks when restoring profile data.
  • SeBackupPrivilege: To bypass read checks.
  • SeDebugPrivilege: To inspect and kill locking processes.

Encryption

Cloud Configurations

When you create a Job in the web portal with a password:

  1. Your password is used to derive a key (PBKDF2).
  2. Sensitive data (such as domain credentials) is encrypted (AES-256-GCM) in your browser.
  3. Only the encrypted blob is sent to our servers.
  4. Our servers never see your password or the sensitive plaintext data.
  5. The client decrypts the blob locally using the password you provide at runtime.

General configuration data, including user mappings and target domains, is stored in plaintext. Sensitive credentials remain fully encrypted

Licensing

Licenses are verified using Ed25519 signatures. The client contains the public key and verifies that the license token was signed by our offline private key.

Data Privacy

  • Logs: Logs are uploaded via HTTPS to secure S3 buckets using pre-signed URLs. They are accessible only by authenticated members of your organization.
  • Telemetry: We collect machine hardware IDs, OS versions, and success/failure rates. We do not collect passwords, file contents, or browsing history (only metadata like "Profile Name" and "Last Synced Time").

Troubleshooting

Diagnosing common errors and viewing logs

On this page

PrivilegesEncryptionCloud ConfigurationsLicensingData Privacy