Skip to main content
ArkVaultArkVault
All documentation

Why ArkVault is Secure

Security

Why ArkVault is Secure

ArkVault is designed so that no one — not even us — can read your secrets. Security isn't a feature we added on top. It's the foundation everything else is built on.

Your Data Never Leaves Your Device Unencrypted

When you create or edit a vault, all encryption happens in your browser before anything is sent to our servers. The server only ever receives and stores encrypted data — random noise that's meaningless without your keys.

This means:

  • Your secrets are encrypted on your device, not on our servers.
  • Our servers never see your plaintext data at any point.
  • Even if our servers were breached, attackers would only find encrypted blobs they can't decrypt.

Zero-Knowledge Architecture

"Zero-knowledge" means we cannot read your data, even if we wanted to. This isn't a policy — it's how the system is built.

  • We don't store your encryption keys.
  • We can't comply with a data request for your vault contents because we don't have them.
  • No employee, admin, or system process can access your plaintext secrets.

Want to understand how zero-knowledge encryption works in more detail? Read our blog post: What is Zero-Knowledge Encryption?

Your Key is Split — No Single Point of Failure

When you create a vault, your master encryption key is split into two separate shares using cryptographic secret sharing:

  • One share is encrypted and stored on our servers.
  • The other share is included in the recovery key given to your trusted contact.

Neither share alone can decrypt anything — both are required together to reconstruct the master key.

This means:

  • ArkVault alone can't decrypt your vault — we only have one half, which is useless on its own.
  • Your trusted contact alone can't decrypt your vault early — they only have the other half.
  • Only when both shares are combined can the vault be decrypted, and this only happens in the browser after the failsafe timer has expired.

Open, Proven Cryptographic Standards

ArkVault doesn't use proprietary or homegrown cryptography. Everything is built on open, well-audited standards:

  • AES-256-GCM — the same encryption standard used by governments, banks, and financial institutions worldwide.
  • SLIP-39 — an open standard for splitting cryptographic keys into multiple shares, developed and audited by the security community.

We chose these standards because they've been tested, reviewed, and trusted by the global security community for years.

No Backdoors. No Master Key. No Exceptions.

ArkVault is built with no escape hatches:

  • There is no admin override that can bypass encryption.
  • There is no master key that unlocks all vaults.
  • The failsafe timer cannot be paused, fast-forwarded, or manipulated — you can only reset it by checking in.
  • Vault destruction after recovery is automatic — a 14-day countdown begins, and the vault is permanently deleted.

These guarantees are enforced by math and cryptography, not by company policy. Even if we wanted to make an exception, we couldn't.

What We Store vs. What We Don't

We StoreWe Don't Store
Encrypted vault data (opaque blobs)Your plaintext secrets
One encrypted half of your split keyYour master encryption key
Your email and account infoYour recovery key
Vault metadata (name, status, timestamps)Any way to decrypt your vault

Your Secrets Deserve Real Security

ArkVault exists because we believe your most important information deserves more than a password and a promise. It deserves a system that can't be compromised — by us, by hackers, or by anyone else.

Ready to protect what matters? Create your first vault →