Logo

Vaultly

How Vaulty Keeps Your Data Secure

Vaultly is built on a zero-knowledge, client-side encryption model, meaning all sensitive operations like key derivation, encryption, and decryption happens directly in your browser. Your master password never leaves your device, is never transmitted to our servers, and is never stored anywhere.

How Your Master Password Works

When you create your master password:

  • A unique random salt is generated on your device to ensure every user's key is different, even if two people choose the same password.
  • Vaultly applies Argon2id (a modern, memory-hard key-derivation algorithm) to your password + salt to derive a strong 256-bit vault key.
    • (Argon2id resists brute-force, GPU, and ASIC-based cracking attempts.)
  • This vault key becomes the root key used to encrypt and decrypt your data.
  • Vaultly never stores this key. Instead, your device computes a SHA-256 hash of the vault key (called a verifier) and sends only the hash to the server.
  • Your vault key is kept only in memory while the vault is unlocked and is cleared immediately when the tab closes or you lock the vault.

When you unlock your vault later, the process is similar:

  • You enter your master password.
  • Your browser re-derives the vault key using Argon2id and the stored salt.
  • Vaultly compares the SHA-256 hash of this key with the stored verifier.
  • If it matches, the vault key is kept only in memory so your data can be decrypted.

At no point does your master password or the vault key leave your device.

How Your Vault Is Encrypted

Once the vault key is derived, Vaultly encrypts all your passwords and notes locally using AES-GCM (Advanced Encryption Standard - Galois/Counter Mode), a widely trusted, authenticated encryption algorithm used by modern security systems and web standards.

  • Your vault key serves as the encryption and decryption key for all vault items.
  • Each password item is encrypted with a unique random IV(Initialization Vector) for additional security.
  • AES-GCM provides built-in integrity protection, ensuring no encrypted data can be tampered with undetected.
  • The server stores only encrypted passwords, never plaintext or raw keys.

Because encryption happens in your browser:

  • Even if someone accessed Vaultly's database, all they would see are unreadable encrypted records.
  • Only your device, holding the derived vault key, can decrypt your vault.

Open Source & Fully Auditable

  • The entire codebase is fully open-source and publicly available on GitHub.
  • Anyone can audit how keys are derived, how data is encrypted, and how the app handles your vault.
  • No proprietary black boxes, no hidden behavior.

View the full source code on GitHub:

https://github.com/SnehdeepDupare/vaultly

If You Forget Your Master Password

Since Vaultly is zero-knowledge, we cannot recover your master password and cannot decrypt your data without it.

If you forget it:

  • You can request a reset link via email.
  • After confirming the reset, Vaultly will permanently delete your encrypted vault.
  • You can then create a new master password and start fresh.

This ensures that only you ever control access to your vault.