We don't ask you to trust us. We give you the tools to verify our security claims yourself โ open source code, documented cryptography, and a responsible disclosure programme.
Data flow: your device โ local encryption โ server (ciphertext only) โ attacker sees nothing useful
Every algorithmic choice has a reason. Here's the full stack.
AES-256-GCM
Item encryption
Authenticated encryption with a 256-bit key and per-item random 96-bit IVs. The auth tag detects tampering before decryption.
PBKDF2-SHA256
Key derivation ยท 600k iterations
Industry standard password hashing. 600,000 iterations matches NIST SP 800-132 recommendations for 2025. Salt is stored per-user.
HKDF
Key expansion
After deriving the master key from your password, we use HKDF to produce separate encryption and MAC keys, preventing key reuse.
RSA-OAEP-4096
Key wrapping
Your vault key is wrapped with your RSA-4096 public key for sharing and emergency access. The private key never leaves your device unencrypted.
TLS 1.3
Transport security
All API traffic uses TLS 1.3 with forward secrecy. Even encrypted vault data is protected in transit.
CSPRNG
Random number generation
All IVs, salts, and keys are generated using the platform's cryptographically secure RNG โ window.crypto in browsers, crypto module in Node.
SOC 2 Ready
Controls aligned to SOC 2 Type II
ISO 27001
Information security management
GDPR
EU data protection compliant
Zero-Knowledge
Cryptographically verified
We're not here to trash a competitor โ but the 2022 LastPass breach revealed real architectural differences worth understanding.
| Area | VaultKeep | LastPass (2022 breach) |
|---|---|---|
| URL storage | Encrypted client-side | Stored in plaintext โ attackers obtained all URLs |
| KDF iterations | PBKDF2-SHA256, 600,000 | As few as 1 iteration for legacy accounts |
| Source code | Open source โ audit it yourself | Proprietary โ trust us |
| Data separation | Only encrypted blobs on servers | Mix of plaintext metadata + ciphertext |
| Breach response | Nothing useful for an attacker to steal | Customer vault backups exfiltrated |
We take security reports seriously. If you find a vulnerability, please report it to security@vaultkeep.app with a description and steps to reproduce. We commit to:
A formal bug bounty programme with financial rewards is planned for Q3 2025.
Start with a free account. No credit card, no vendor lock-in, no excuses.
Create your vault