Security at Vaulted
Zero-knowledge encryption — we can't read your secrets, even if we wanted to.
AES-256-GCM encryption
Every secret is encrypted in your browser using AES-256-GCM, as specified in NIST SP 800-38D — the same standard used by governments and financial institutions worldwide. Encryption happens before any data leaves your device.
Key never leaves your browser
The encryption key is placed in the URL fragment (the part after #). Per RFC 3986, URL fragments are never sent to the server — they exist only in your browser. Only someone with the full link can decrypt the secret.
Zero-knowledge architecture
Our server stores only encrypted ciphertext and metadata (view count, expiry). We have no way to decrypt your data — we never see the key, and we never see the plaintext. Even a complete server compromise would yield only encrypted blobs.
Optional passphrase protection
For extra security, you can set a passphrase when creating a secret. The passphrase wraps the encryption key — even if someone intercepts the link, they can't decrypt the secret without it. Share the passphrase through a different channel (like a phone call or separate message) for maximum protection.
What the server stores
An encrypted blob, the number of remaining views, and an expiration timestamp. That's it. No IP logs, no user accounts, no analytics on secret content.
Automatic deletion
Secrets are permanently deleted when the view limit is reached or the expiration time passes. There is no recycle bin, no backup, no way to recover deleted secrets.
Open by design
The encryption and decryption logic runs entirely in your browser using the Web Crypto API. You can inspect the source code, verify the cryptographic implementation, and confirm that no plaintext ever leaves your device.
What Vaulted protects against
Network eavesdropping
All data is encrypted in your browser before transmission. Even if network traffic is intercepted, attackers see only AES-256-GCM ciphertext — the encryption key never crosses the network.
Server compromise
Vaulted uses a zero-knowledge architecture. The server stores only encrypted ciphertext and metadata. It never receives the encryption key or plaintext, so a full server breach yields nothing usable.
Unauthorized access
Secrets are protected by configurable view limits, automatic expiration (TTL), and optional passphrase protection. Once the view limit is reached or the TTL expires, the secret is permanently deleted.
Data persistence
Secrets are automatically and permanently deleted from storage when consumed or expired. There are no backups, recycle bins, or recovery mechanisms.
What Vaulted does NOT protect against
Compromised browser or device
If malware has access to your browser, it can read decrypted content from the DOM after you view a secret.
Keyloggers
A keylogger on the sender's or recipient's device can capture a passphrase as it is typed.
Malicious browser extensions
Extensions with DOM access can read decrypted secret content after it is rendered in the browser.
Recipient sharing or screenshotting
Once a secret is decrypted, the recipient sees plaintext. There is no DRM — they can copy, screenshot, or share it.
Link interception before viewing
If the full URL (including the fragment containing the key) is intercepted before the intended recipient opens it, the secret is compromised.
Weak passphrases
If a passphrase is used and is weak, an attacker with access to the wrapped key can brute-force it.
Responsible Disclosure
We take security seriously. If you discover a vulnerability, please report it responsibly so we can address it before it affects users.
What to include in a report
- A description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Any proof-of-concept code or screenshots
Scope
- In scope: encryption implementation, authentication bypass, data exposure, server-side vulnerabilities
- Out of scope: social engineering, denial of service, spam
We aim to acknowledge reports within 48 hours.
Want to see it in action?
Try the Encryption Playground — an interactive demo of the same AES-256-GCM encryption Vaulted uses. Or read our visual guide to end-to-end encryption.