The Vault - Version 5 Encryption Protocol

The Vault uses PBKDF2 key derivation with an HMAC-SHA512 PRF, and HMAC-SHA256 Encrypt-then-MAC authenticated 256-bit AES encryption, using CommonCrypto functionality only. All cipher and MAC worker keys, as well as all salts and IVs, are purely random data, generated by SecRandomCopyBytes. Keys and IVs are never reused. Each singular piece of data in the app is encrypted with a unique random encryption key, and authenticated with a unique random HMAC key.
Your Master Passcode is never stored; and neither are the derived cipher keys.

Zero knowledge:
We have zero knowledge of your confidential information.
What does this mean? It's simple:

1. Your data is stored on your device. Only.
2. Your passcode and keys are never stored.

In other words: unlike many other services, your data is not stored in the cloud. It is only in your possession: on your device, and in your SecureBackups that you store in a location of your choice. All decryption is done locally, on your device. In fact, the app never writes unencrypted data to disk. Ever. Because your master passcode and keys are never stored, you need to provide the master passcode to be able to access your data. Without your master passcode the app cannot recreate the necessary decryption keys, and will not be able to decrypt your data.





Open-sourced, human-readable, pseudocode of the encryption core of The Vault for iOS and The Vault for Mac.