Security at Vaulted
Zero-knowledge encryption — we can't read your secrets, even if we wanted to.
AES-256-GCM encryption
Every secret is encrypted in your browser using AES-256-GCM, as specified in NIST SP 800-38D — the same standard used by governments and financial institutions worldwide. Encryption happens before any data leaves your device.
Key never leaves your browser
The encryption key is placed in the URL fragment (the part after #). Per RFC 3986, URL fragments are never sent to the server — they exist only in your browser. Only someone with the full link can decrypt the secret.
Zero-knowledge architecture
Our server stores only encrypted ciphertext and metadata (view count, expiry). We have no way to decrypt your data — we never see the key, and we never see the plaintext. Even a complete server compromise would yield only encrypted blobs.
Optional passphrase protection
For extra security, you can set a passphrase when creating a secret. The passphrase wraps the encryption key — even if someone intercepts the link, they can't decrypt the secret without it. Share the passphrase through a different channel (like a phone call or separate message) for maximum protection.
What the server stores
An encrypted blob, the number of remaining views, and an expiration timestamp. That's it. No IP logs, no user accounts, no analytics on secret content.
Automatic deletion
Secrets are permanently deleted when the view limit is reached or the expiration time passes. There is no recycle bin, no backup, no way to recover deleted secrets.
Open by design
The encryption and decryption logic runs entirely in your browser using the Web Crypto API. You can inspect the source code, verify the cryptographic implementation, and confirm that no plaintext ever leaves your device.