End-to-End Encryption
Protect your sensitive documents with military-grade encryption.
Overview
LifeVault provides end-to-end encryption for your most sensitive documents. Encryption happens locally on your device — your keys never leave your machine.
Zero-Knowledge
Even if you sync encrypted files to the cloud, your provider cannot read them. Only you hold the decryption keys.
How It Works
LifeVault uses AES-256-GCM for file encryption and Argon2id for key derivation. The encryption flow is:
Your master password is derived into an encryption key using Argon2id
Each file gets a unique random nonce (IV)
File contents are encrypted with AES-256-GCM
Encrypted file + nonce are stored; original is securely deleted
Key Management
Your encryption keys are stored in your system's secure keychain (macOS Keychain, Windows Credential Store, or Linux Secret Service). You can also export a recovery key for backup.
# Export recovery key
lifevault keys export --format "recovery" --output "~/recovery-key.txt"