How We Protect Your Data

Zero-knowledge encryption means we can’t access your files — not because of a privacy policy, but because of mathematics.

Your Keys, Your Data

When you upload a file to Vaulternal, it’s encrypted in your browser before it ever reaches our infrastructure. The encryption key is derived from a recovery phrase only you control. We never receive, store, or have access to your plaintext files or encryption keys.

Your BrowserFiles selected locally
AES-256-GCMEncrypted client-side
Encrypted Chunks5 MB each, unique IV
Encrypted StorageResilient cloud or permanent on-chain
Your key never leaves the browser
We only ever hold ciphertext

Encryption in Detail

Every layer of the system is designed so that only the intended recipient — with the correct key — can read your data.

Symmetric Encryption
  • AES-256-GCM (authenticated encryption)
  • 12-byte IV (96 bits), 128-bit auth tag
  • Files split into 5 MB chunks (max 1,024)
  • Per-chunk IV derived from base IV XOR chunk index
  • SHA-256 integrity hash per encrypted chunk
Asymmetric Encryption
  • secp256k1-ECIES — primary (Ethereum-native)
  • ECDH shared secret → HKDF-SHA256 → AES-256-GCM
  • Ephemeral key pairs for forward secrecy
  • HMAC-SHA256 ciphertext authentication
Multi-Party Access
  • Each recipient gets their own encrypted file key
  • Oracle double-layer wrapping gates access
  • Owner always retains a backup key copy
  • Shamir Secret Sharing ready for social recovery
Key Management
  • BIP-39 mnemonic (12 words) → BIP-32 HD wallet
  • IndexedDB storage with session encryption
  • 15-minute TTL, auto-cleared on inactivity
  • Scrypt keystore backup (Ethereum V3 format)
  • Web Worker isolated crypto operations

Where Your Files Live

Two storage layers, one encryption model. Everything is encrypted in your browser first — then you choose the storage built for the job: a fast, resilient cloud for files you actively keep current, or a permanent on-chain vault for legacy that has to outlast everything.

Free · Starter · Pro

Encrypted Cloud

For files you actively keep current — fast to upload and retrieve, with room to grow up to 1 TB.

  • Client-side encrypted — we store only ciphertext
  • Redundant and highly available
  • Instant upload and download
  • Scales with your plan, up to 1 TB

Certified cloud infrastructure

SOC 2 Type IIISO 27001

Permanent Vault

Permanent On-Chain Vault

For legacy that has to outlast everything — including us. Retrievable by its rightful recipients even if Vaulternal ceases to exist.

  • Write-once permanent storage on Arweave
  • Immutable — data cannot be altered
  • Designed for 200+ year persistence
  • Proof of existence (Polygon)

Optionally pinned to IPFS (coming soon).

How Triggers Work

Triggers automate delivery using double-layer encryption. The oracle can verify conditions but never access your files.

Setup

Owner configures triggerInactivity, time, manual, or contacts
Payload double-encryptedsecp256k1-ECIES: oracle + recipient layers
Oracle begins monitoringWatches for trigger conditions

Activation

Conditions metOracle verifies trigger criteria
Oracle unwraps outer layerReveals inner encrypted key
Recipient receives accessNotified and granted claim link

Files are decrypted entirely in the recipient’s browser. At no point does Vaulternal, the oracle, or any third party have access to plaintext data.

What We Can’t Do

Zero-knowledge architecture means there are things we are mathematically unable to do — even if compelled.

We CAN doWe CANNOT do
FilesStore and deliver encrypted filesRead or access your plaintext files
KeysGenerate encryption key pairs for youAccess your private key after creation
TriggersExecute trigger logic when conditions are metOverride, bypass, or cancel triggered deliveries
RecoveryProvide keyfile and seed phrase recovery pathsRecover your data without your encryption key
ComplianceRespond to legal requests with account metadataDecrypt your files for anyone, including authorities

Security Roadmap

We build in the open. Here’s what’s shipped and what’s coming next.

Built

  • Client-side AES-256-GCM encryption
  • secp256k1-ECIES asymmetric encryption
  • Multi-party key encapsulation
  • Oracle double-layer wrapping
  • Arweave permanent storage
  • IPFS distributed pinning
  • Polygon on-chain anchoring
  • Scrypt keystore (Ethereum V3)
  • BIP-39 / BIP-32 HD wallet derivation
  • Shamir Secret Sharing infrastructure
  • Web Worker isolated crypto operations

Planned

  • Quantum-resistant encryption
  • Social recovery via Shamir
  • Hardware wallet support
  • Multi-sig trigger authorization
  • Open-source client libraries

See It in Action

Create a vault, upload a file, and see client-side encryption work in real time. Free to start.