StreamStow’s Secure Vault is an encrypted folder on your Mac that hides and protects downloaded videos using AES-256 encryption. When the vault is locked, the files don’t appear anywhere in Finder. You open it with Touch ID or a password, and it locks itself automatically when you step away.
I built up a collection of personal videos, training courses, and public domain films over a couple of years. They were all sitting in ~/Downloads, mixed in with everything else. Anyone who borrowed my laptop could scroll through them. Anyone looking over my shoulder during a screen share could see filenames. That bothered me enough to start looking for a solution, and the vault is what I landed on.
Here’s how it actually works.
How the vault encrypts your files
Every file you send to the vault gets encrypted with AES-256. That’s the same encryption standard used by banks and government agencies for classified data. It’s not marketing language — AES-256 is a specific, auditable algorithm with a 256-bit key length. Breaking it by brute force would take longer than the age of the universe with current hardware.
When you download a video and choose “Save to Vault” instead of the regular download location, StreamStow encrypts the file before writing it to disk. The encrypted data lives in Application Support, not in your Downloads folder. The original file never touches your drive in an unencrypted state.
This matters because of how macOS handles deleted files. When you delete a regular file, the data doesn’t vanish immediately. It stays on disk until something else writes over that space. With the vault, there’s no unencrypted version to delete in the first place.
Touch ID makes it usable every day
Encryption that’s annoying to use is encryption people turn off. I’ve seen this pattern with password managers, encrypted disk images, and FileVault itself. If the friction is too high, people stop using it.
StreamStow’s vault supports Touch ID on any Mac with a fingerprint sensor. Tap your finger. The vault opens. That’s it. No typing a 20-character password every time you want to watch something.
You still set a password as a fallback (for Macs without Touch ID, or if the sensor fails). But day to day, you’re just tapping your finger. The difference in experience is night and day. I went from opening the vault maybe twice a week when it was password-only to using it as my default download location once Touch ID was an option.
Auto-lock keeps things closed when you’re away
The vault doesn’t stay open forever. It locks itself in four situations:
- Your Mac goes to sleep
- The screen locks
- You haven’t interacted with StreamStow for a period of inactivity
- You quit the app
This is the kind of thing that sounds minor until you think about the failure modes. You walk away from your desk for a coffee, someone sits down, and your vault is wide open. Auto-lock prevents that. By the time you’re out of earshot, the vault is sealed.
You don’t need to remember to lock it manually. You don’t need to develop a habit. It just closes.
The vault is invisible when locked
This one surprised me when I first used it. When the vault is locked, the directory doesn’t show up in Finder at all. There’s no grayed-out folder with a lock icon. There’s no “Vault (Locked)” item in a sidebar. The directory is gone.
Someone searching your Mac with Spotlight won’t find vault files. Someone browsing Application Support won’t see a suspicious encrypted folder. The files exist on disk as encrypted data, but there’s nothing pointing to them that a casual user would notice.
This is different from how most encryption tools work. An encrypted disk image, for example, still shows the .dmg file sitting on your drive. Anyone can see it exists even if they can’t open it. The vault’s approach is closer to how hidden volumes work in tools like VeraCrypt, where the goal is that an observer doesn’t know there’s anything to find.
Everything stays local
StreamStow has no servers. No cloud. No sync. Your vault files live on your Mac and nowhere else.
This is a deliberate design choice. The moment encrypted files touch a server, you’re trusting someone else’s security practices, their employee access controls, their patch management, their response to subpoenas. You’re also trusting their business continuity. If the company shuts down, your files need to still be accessible.
With local-only storage, the attack surface is your Mac. That’s it. No one can breach a server that doesn’t exist.
The tradeoff is real, though. If your hard drive fails and you don’t have a backup, those vault files are gone. Time Machine will back up the encrypted data, but you’ll need StreamStow and your vault password to decrypt it on a new machine. Treat your vault password like you’d treat any encryption key — write it down and store it somewhere safe offline.
The vault is optional
You don’t have to use the vault at all. StreamStow works fine as a straightforward video downloader. Regular downloads go to ~/Downloads by default (you can change this in settings). The vault is there when you want it.
I use the vault for maybe half my downloads. Public domain documentaries and Creative Commons lectures? Those go straight to Downloads. Personal content or anything I’d rather keep private? Vault.
There’s no setup wizard forcing you to create a vault password during first launch. You opt in when you’re ready, or never. The app doesn’t nag you about it.
What happens if you forget your password
This is the part where I have to be direct. If you forget your vault password and you haven’t set up Touch ID, your files are gone. Not locked, not recoverable by customer support. Gone.
StreamStow can’t reset your vault password because StreamStow doesn’t know your vault password. The encryption key is derived from the password you set. There’s no master key, no backdoor, no recovery email. This is by design. A recovery mechanism would mean the encryption isn’t truly end-to-end on your device.
This is the same situation you’d be in with any real encryption tool. It’s the price of actual security versus security theater. If a company can reset your encryption password for you, they can also decrypt your files. That means anyone who compromises that company can decrypt your files too.
Set up Touch ID as your primary access method, write down your password, and store it somewhere physical. A slip of paper in a desk drawer works. I keep mine in the same fireproof box where I keep my passport.
How the vault compares to other options
You could encrypt videos without StreamStow. macOS has Disk Utility, which can create encrypted disk images. You could use FileVault to encrypt your entire drive. You could use a third-party tool like Cryptomator or VeraCrypt.
The difference is integration. With a standalone encryption tool, you download a video, then move it into an encrypted container, then remember to delete the original, then empty the trash, then hope the unencrypted data gets overwritten on disk. That’s five steps and at least two of them are easy to forget.
With the vault, you click “Save to Vault” during the download. One step. The file is encrypted from the start. There’s no unencrypted original to clean up.
FileVault is a different comparison. It encrypts your entire drive, which protects you if someone steals your laptop while it’s powered off. But FileVault doesn’t help when you’re logged in. Anyone who can see your screen can see your files. The vault protects files while you’re using your Mac, which is the threat model most people actually face.
Setting up the vault
Open StreamStow, go to Settings, and click the Vault tab. You’ll set a password (make it strong — this is the encryption key for everything in the vault). If your Mac has Touch ID, you’ll be prompted to enable it. That’s the entire setup.
From that point on, every download dialog includes a “Save to Vault” option alongside the regular save location. Files already in the vault are accessible through StreamStow’s library view when the vault is open.
The whole process takes about 30 seconds.
Content disclaimer
StreamStow is designed for downloading personal content, public domain videos, and creative commons media. Please respect copyright laws and platform terms of service.
Your vault password is the one thing standing between your encrypted files and permanent loss. Set up Touch ID, write down the password on paper, and store it somewhere safe before you start moving files in.