Client-Side Encryption
AES-256-GCM
Family Vault uses AES-256-GCM encryption — the same standard used by governments and financial institutions worldwide. Every piece of sensitive data is encrypted and decrypted entirely in your browser before it ever touches the network.
Each encrypted field gets its own random initialization vector (IV), ensuring that identical plaintext values produce completely different ciphertext every time. The GCM mode provides both confidentiality and integrity verification, meaning any tampering with encrypted data is immediately detected.
Key Derivation
PBKDF2 with 600,000 iterations
Your vault password is transformed into an encryption key using PBKDF2 (Password-Based Key Derivation Function 2) with SHA-256 and 600,000 iterations. This deliberately slow process makes brute-force attacks computationally impractical.
Each user receives a unique, cryptographically random salt generated at vault setup. This means even if two users choose the same password, their derived encryption keys are completely different — protecting against rainbow table and precomputation attacks.
Algorithm: PBKDF2
Hash: SHA-256
Iterations: 600,000
Key length: 256 bits
Salt: Random, unique per user
What Gets Encrypted
Sensitive fields vs. searchable metadata
We carefully separate sensitive secrets from searchable metadata so you get both strong security and a usable experience.
Encrypted (zero-knowledge)
- Passwords
- Secret keys
- Account numbers
- Notes content
- Shared credential content
Plaintext (searchable)
- Credential title
- URL
- Email address
- Username
- Tags
Metadata fields like title, URL, email, username, and tags are stored in plaintext to enable cross-vault instant search. These fields do not contain secrets and are protected by Supabase Row Level Security (RLS) policies so only authorized vault members can access them.
Zero-Knowledge Architecture
We cannot see your secrets
Your vault password never leaves your browser. It is never transmitted over the network, never stored on our servers, and never logged anywhere. All encryption and decryption happens locally using the Web Crypto API built into your browser.
The server only ever receives and stores ciphertext — encrypted data that is computationally indistinguishable from random noise without your key. Even with full database access, neither the server, the hosting provider, nor our team can decrypt your sensitive data.
If you forget your vault password, your encrypted data cannot be recovered. This is a deliberate security guarantee, not a limitation.
Important: Your vault password is the sole key to your encrypted data. Store it somewhere safe. If lost, encrypted data cannot be recovered by anyone — including us.
Infrastructure Security
Enterprise-grade providers
Family Vault is built on top of industry-leading infrastructure providers, each with rigorous security certifications and compliance programs.
Supabase
SOC 2 Type II
PostgreSQL database with Row Level Security (RLS) ensuring data isolation between users and vaults at the database level.
Vercel
SOC 2 Type II
Edge network with automatic HTTPS, DDoS protection, and secure serverless function execution.
PostgreSQL RLS
Row Level Security
Every database query is filtered by user authentication, enforced at the database engine level — not just in application code.
Additional Security Layers
Defense in depth
Two-Factor Authentication
Optional TOTP-based 2FA adds a second verification step at login, implemented with the Web Crypto API. Compatible with any authenticator app.
Role-Based Access Control
Vault members are assigned Owner, Editor, or Viewer roles. Permissions are enforced at both the UI and database level via RLS policies.
Session Management & Auto-Lock
Sessions are managed by Supabase Auth with secure token refresh. An auto-lock timer clears the decryption key from memory after a period of inactivity.
Audit Logging
All significant actions — credential access, member changes, vault modifications — are recorded in an immutable audit log for accountability and transparency.
Have security questions or want to report a vulnerability?