Security

Security you can audit, not just trust

Vaultixs is zero-knowledge by design. Your vault is encrypted on your device before it ever reaches our servers. We physically cannot read your passwords — not under any circumstances.

AES-256-GCM encryptionZero-knowledge architectureArgon2id key derivationTLS 1.3 in transit

How it works

Four layers of protection

Every piece of your vault passes through all four layers before it ever reaches our infrastructure.

Client-side encryption

Your vault is encrypted on your device using AES-256-GCM before it ever leaves. Our servers store ciphertext — never plaintext. No decryption happens server-side, ever.

Zero-knowledge architecture

Your encryption key is derived from your master password locally. It is never transmitted or stored. We have no mathematical ability to decrypt your data, even under legal compulsion.

Secure key derivation

We use a hardened key derivation function (Argon2id) to stretch your master password into a strong encryption key. Brute-forcing it requires enormous compute even if someone had our entire database.

Open-source cryptography

Vaultixs uses standard, peer-reviewed cryptographic libraries with no proprietary modifications. The crypto layer is published and open to external audit.

Encryption flow

What happens when you save a password

Every save goes through the same sequence, on your device, before anything leaves.

You type your password

The plain-text credential exists only in your browser or app memory. It has not been sent anywhere.

Your encryption key is derived

Argon2id processes your master password into a 256-bit key. This happens locally. The key never leaves your device.

The credential is encrypted

AES-256-GCM encrypts the credential using your local key. The result is an opaque block of ciphertext.

Ciphertext is synced

The encrypted blob is sent to our servers over TLS 1.3. We receive and store only ciphertext — we never see the key or the original data.

Security FAQ

Common security questions

Plain-language answers about how Vaultixs protects your data.

What happens if Vaultixs is hacked?

An attacker would get encrypted ciphertext. Without your master password (which we never have), that data is computationally infeasible to decrypt. This has been validated by independent security researchers.

What happens if I forget my master password?

Because we operate zero-knowledge, we cannot reset it. You can protect against this by setting up an emergency contact, storing recovery codes offline, or enabling biometric unlock on trusted devices.

Does Vaultixs store my master password?

Never. We store a salted hash of a hash of your master password — only enough to verify that you know it during login, never enough to reconstruct the actual password or your encryption key.

Is data encrypted in transit as well as at rest?

Yes. All traffic between your device and our servers uses TLS 1.3 with strong cipher suites. Data is encrypted on-device before transmission, and again in transit.

A vault that protects you, by design

Zero-knowledge means your security does not depend on trusting us. Start free and see for yourself.

Create free account See all features

Security model

EncryptionAES-256-GCM

Key derivationArgon2id

In transitTLS 1.3

Server accessZero