ENCRYPTION
AES-GCM-256
Every credential is encrypted with AES-GCM-256 before storage. The same cipher trusted by military and intelligence agencies worldwide.
SYS_STABILITY: 100%
ENC_PROTOCOL: AES-GCM-256
NODE_REGION: UNKNOWN
LINK_ESTABLISHED
[
LOCK-ROOM
]
ZERO_KNOWLEDGE_ARCHITECTURE_V.4.0.1
A password vault where the server is structurally incapable of reading your data. Your secrets are encrypted before they ever leave your device.
HEX_PARITY_VERIFIED
SYSTEM_CAPABILITIES
SECURITY_FEATURES
ARCHITECTURE
ZERO_KNOWLEDGE
The server holds only ciphertext. Without your master key, the data is mathematically indistinguishable from random noise.
KEY_DERIVATION
PBKDF2_SHA512
Your master password is never transmitted. It derives a local encryption key via 600,000 PBKDF2 iterations with SHA-512.
PRIVACY
SERVER_BLIND
The backend processes only opaque blobs. No plaintext, no metadata, no behavioral analytics. Structural privacy by design.
EXECUTION
CLIENT_SIDE_CRYPTO
All cryptographic operations run inside your browser or native client. The network sees only encrypted payloads.
RESILIENCE
RECOVERY_KEY
Generate a recovery key that encrypts your master key client-side. If you lose your password, recover your vault without the server ever seeing the key.
TRANSPARENCY
OPEN_PROTOCOL
The encryption protocol is fully documented and open source. Verify every claim independently. No security through obscurity.
ZERO_KNOWLEDGE_PROTOCOL
HOW_IT_WORKS
01
KEY_DERIVATION
MASTER_KEY_NEVER_LEAVES
You enter your master password. PBKDF2-SHA512 with 600k iterations derives an encryption key locally. The raw password is immediately discarded from memory.
> PBKDF2(password, salt, 600000, SHA-512) → encryption_key
02
CLIENT_SIDE_ENCRYPTION
DATA_ENCRYPTED_LOCALLY
Your vault entries are encrypted with AES-GCM-256 in your browser before any network call is made. The server receives only ciphertext and an authentication tag.
> AES-GCM(plaintext, encryption_key, iv) → ciphertext + tag
03
DOUBLE_LAYER_ENCRYPTION
SERVER_ADDS_SECOND_LAYER
The server applies its own AES-GCM-256 encryption on top of your already-encrypted data. Even if the database leaks, attackers face two independent encryption layers.
> server.encrypt(client_ciphertext, server_key) → L2_ciphertext
04
RECOVERY_KEY
ZERO_KNOWLEDGE_RECOVERY
Generate a recovery key stored only by you. It encrypts your master key client-side and sends the opaque blob to the server. Lost your password? Decrypt locally with the recovery key — the server never sees it.
> AES-GCM(master_key, recovery_key) → recovery_blob → server
CRYPTOGRAPHIC_PARAMETERS
SECURITY_SPECS
CIPHERAES-GCM-256
KEY_DERIVATIONPBKDF2-SHA512
ITERATIONS600,000
IV_LENGTH96 BITS
TAG_LENGTH128 BITS
ENCRYPTION_LAYERS2 (CLIENT + SERVER)
TRANSPORTTLS 1.3
SERVER_KNOWLEDGENONE
RECOVERY_METHODCLIENT-SIDE KEY
PLAINTEXT_STORAGENEVER
AUDIT_CHECKLIST
[VERIFIED]CRYPTOGRAPHIC_PROTOCOL
[VERIFIED]CLIENT_SIDE_ONLY_CRYPTO
[VERIFIED]DOUBLE_LAYER_ENCRYPTION
[VERIFIED]ZERO_KNOWLEDGE_RECOVERY
[VERIFIED]NO_TELEMETRY
[VERIFIED]OPEN_SOURCE_CODE
THREAT_MODEL
Even if the server infrastructure is fully compromised, attackers face two independent encryption layers. Without your master password, brute-forcing 600k PBKDF2 iterations per attempt is computationally infeasible. Recovery keys are encrypted client-side — the server stores only opaque blobs it cannot read.
BEGIN_SECURE_SESSION
YOUR_SECRETS
STAY_YOURS
No subscriptions. No tracking. No backdoors. Zero-knowledge architecture means we are structurally incapable of accessing your vault — not just legally prohibited.
INPUT_MASTER_HASH
>ENTER_MASTER_KEY
BITS_PROCESSED: 0