Security & trust

Security you can verify.

We don't ask you to trust us. We give you the tools to verify our security claims yourself โ€” open source code, documented cryptography, and a responsible disclosure programme.

Zero-knowledge architecture

Your DeviceMaster passwordnever leaves hereLocal EncryptionAES-256-GCMbefore transmissionOur ServersOnly ciphertextstored hereAttackerSees only encryptedblobs โ€” useless๐Ÿ”’

Data flow: your device โ†’ local encryption โ†’ server (ciphertext only) โ†’ attacker sees nothing useful

Cryptographic details

Every algorithmic choice has a reason. Here's the full stack.

AES-256-GCM

Item encryption

Authenticated encryption with a 256-bit key and per-item random 96-bit IVs. The auth tag detects tampering before decryption.

PBKDF2-SHA256

Key derivation ยท 600k iterations

Industry standard password hashing. 600,000 iterations matches NIST SP 800-132 recommendations for 2025. Salt is stored per-user.

HKDF

Key expansion

After deriving the master key from your password, we use HKDF to produce separate encryption and MAC keys, preventing key reuse.

RSA-OAEP-4096

Key wrapping

Your vault key is wrapped with your RSA-4096 public key for sharing and emergency access. The private key never leaves your device unencrypted.

TLS 1.3

Transport security

All API traffic uses TLS 1.3 with forward secrecy. Even encrypted vault data is protected in transit.

CSPRNG

Random number generation

All IVs, salts, and keys are generated using the platform's cryptographically secure RNG โ€” window.crypto in browsers, crypto module in Node.

Compliance & certifications

๐Ÿ›ก๏ธ

SOC 2 Ready

Controls aligned to SOC 2 Type II

๐Ÿ”

ISO 27001

Information security management

๐Ÿ‡ช๐Ÿ‡บ

GDPR

EU data protection compliant

๐Ÿ‘๏ธโ€๐Ÿ—จ๏ธ

Zero-Knowledge

Cryptographically verified

How VaultKeep is different from LastPass

We're not here to trash a competitor โ€” but the 2022 LastPass breach revealed real architectural differences worth understanding.

AreaVaultKeepLastPass (2022 breach)
URL storageEncrypted client-sideStored in plaintext โ€” attackers obtained all URLs
KDF iterationsPBKDF2-SHA256, 600,000As few as 1 iteration for legacy accounts
Source codeOpen source โ€” audit it yourselfProprietary โ€” trust us
Data separationOnly encrypted blobs on serversMix of plaintext metadata + ciphertext
Breach responseNothing useful for an attacker to stealCustomer vault backups exfiltrated

Responsible disclosure

We take security reports seriously. If you find a vulnerability, please report it to security@vaultkeep.app with a description and steps to reproduce. We commit to:

  • Acknowledge receipt within 24 hours
  • Provide status updates every 72 hours
  • Fix critical vulnerabilities within 7 days
  • Credit researchers publicly (with consent)
  • Not pursue legal action against good-faith researchers

A formal bug bounty programme with financial rewards is planned for Q3 2025.

Security without compromise

Start with a free account. No credit card, no vendor lock-in, no excuses.

Create your vault