Client-Side Vault Encryption
Documents are encrypted in the browser before they reach us. We store only ciphertext and wrapped keys, so a server breach exposes encrypted data rather than passport scans.
How it works
- ·Vault password → Argon2id → KEK (key encryption key)
- ·Each document gets a random DEK encrypted with AES-256-GCM
- ·DEK is wrapped with your KEK; only wrapped blobs are uploaded
- ·Share links generate a link session key (LSK); DEKs are re-wrapped for vendor access
- ·Vendor secret → HKDF-SHA256 → wrapping key to unwrap the LSK
- ·Ciphertext lives in a private storage bucket; signed URLs expire in minutes