Skip to main content
Architecture ยท Guide 01

How VaultPass works

A full walkthrough of client-side encryption, the dead man's switch, and exactly what data VaultPass holds vs. what stays on your device.

Encryption Flow
โŒจ๏ธ
01

You enter your seed phrase

Your seed phrase is typed into the vault editor in your browser. It never leaves your device in plaintext.

๐Ÿ”‘
02

A random vault key is generated

Your browser generates a fresh random 256-bit AES-256-GCM key via the Web Crypto CSPRNG. It is not derived from any password.

๐Ÿ”
03

AES-256-GCM encrypts your vault

Your seed phrases and wallet instructions are encrypted in-browser using AES-256-GCM with a random 96-bit IV. GCM mode provides both encryption and authentication โ€” tampering is detectable.

๐Ÿงฉ
04

The key is split into 3 shards

The random key is split via Shamir's Secret Sharing (2-of-3). Your owner shard stays on your device; the heir and sentinel shards are encrypted and uploaded. Any 2 shards reconstruct the key; 1 reveals nothing.

Prove it yourself โ†’
โ˜๏ธ
05

Only ciphertext + encrypted shards are sent

The encrypted blob (ciphertext + IV + auth tag) and the encrypted heir/sentinel shards are uploaded. VaultPass stores them as opaque bytes and does not decrypt them in normal operation.

โฑ
06

Dead man's switch monitors check-ins

Our server tracks only your check-in timestamps. If you miss your interval, a grace period and reminders begin. After the switch fires, your heir is notified.

๐Ÿ”“
07

Your heir reconstructs the vault

Your heir opens a one-time link; the heir and sentinel shards are released and combined in their browser to rebuild the key and decrypt the vault. No password required โ€” decryption happens entirely on their device.

Data Residency
Stored on VaultPass servers
  • โ†’Encrypted vault blob (ciphertext)
  • โ†’Encrypted heir + sentinel shards
  • โ†’IV / nonce (required, not secret)
  • โ†’Heir email address
  • โ†’Check-in timestamps
  • โ†’Subscription status
Never leaves your device
  • โœ“Your plaintext seed phrases
  • โœ“Your owner shard
  • โœ“Your wallet addresses / private keys
  • โœ“The reconstructed vault key
System Diagram
Your Browser
Random 256-bit key
AES-256-GCM encrypt
Shamir split (2-of-3)
Plaintext seed phrases
Ciphertext only
โ†’
VaultPass Server
Encrypted blob โœ“
Heir + sentinel shards โœ“
Heir email โœ“
Check-in time โœ“
Trigger fires
โ†’
Heir's Browser
Receives ciphertext
Enters shared password
AES-256-GCM decrypt
Reads seed phrases
Split-Knowledge Architecture

VaultPass stores your vault as ciphertext and holds the encrypted heir and sentinel shards. You hold your own shard, on your device. The vault is only rebuilt when shards are combined โ€” which happens automatically when the dead man's switch fires.

YOU๐Ÿง master passwordโ†’ AES-256 key Knever uploadedKVAULT DATA๐Ÿ”AES-256-GCMEnc(seeds, K)โœ“ readable only with KEnc(seeds,K)VAULTPASS SERVERโ˜๏ธEnc(seeds, K)salt ยท IV ยท heir emailK is never herekey ยท no ciphertextโ† key + ciphertext = data โ†’ciphertext ยท no key
0 plaintext bits
VaultPass server alone
0 ciphertext access
Your password alone
Full decryption
Both together
Key Guarantee

VaultPass is a conduit, not a custodian. We transport and store encrypted bytes. The cryptographic keys exist only in your mind and your heir's mind. Even a complete breach of our infrastructure exposes nothing recoverable without your master password.

NEXT โ†’ Guide 02
Security Model
SKIP TO โ†’ Guide 03
Heir Access Guide
VaultPass ยท Zero-knowledge crypto inheritance
DocsFAQStatusTermsPrivacy