SafeVault
Back to Help Center
Security

How End-to-End Encryption Works

Understand how SafeVault uses AES-256 encryption and zero-knowledge architecture to protect your data.

What Is End-to-End Encryption?

End-to-end encryption (E2EE) means your data is encrypted on your device before it's sent anywhere. Only you can decrypt it — not SafeVault, not your internet provider, not anyone in between.

How SafeVault Encrypts Your Data

Step 1: Key Derivation

When you enter your master password, SafeVault derives a strong encryption key using PBKDF2-SHA256 with 600,000 iterations. This turns your password into a cryptographic key that's resistant to brute-force attacks.

Step 2: Local Encryption

Your vault data is encrypted on your device using AES-256 — the same encryption standard used by governments and military organizations worldwide. Each item in your vault is encrypted individually.

Step 3: Secure Transmission

The encrypted data is sent to SafeVault's servers over TLS 1.3, adding another layer of protection during transit. Even if someone intercepted the transmission, they'd only see encrypted data.

Step 4: Encrypted Storage

Your encrypted vault is stored on our servers. Since we never receive your master password or encryption key, we cannot decrypt your data. This is what "zero-knowledge" means.

Zero-Knowledge Architecture

Zero-knowledge means:

  • We never see your master password — it never leaves your device
  • We cannot access your vault — we only store encrypted blobs
  • We cannot reset your password — only you (and your recovery kit) can unlock your data
  • Even if our servers were breached, attackers would only get encrypted data they cannot decrypt

What AES-256 Means

AES-256 is the Advanced Encryption Standard with a 256-bit key:

  • It would take billions of years to crack with current technology
  • It's used by the U.S. government for classified information
  • It's the gold standard for data encryption worldwide

How Decryption Works

  1. You enter your master password on your device
  2. SafeVault derives the encryption key locally
  3. Your encrypted vault is downloaded from the server
  4. The vault is decrypted locally on your device
  5. Your passwords are accessible only in your device's memory

Your decrypted data never leaves your device. When you lock SafeVault, the decrypted data is cleared from memory.

Frequently Asked Questions

Can SafeVault employees read my passwords? No. Our zero-knowledge architecture makes this technically impossible.

What happens if SafeVault's servers are breached? Attackers would only obtain encrypted data. Without your master password, the data is unreadable.

Is my data encrypted on my device? Yes. SafeVault also encrypts the local database on your device, protected by your master password and (optionally) biometric authentication.