How It Works
VanishingVault uses zero-knowledge encryption to ensure your secrets remain private.
Client-Side Encryption
Your secrets are encrypted in your browser before being sent to our servers.
- ·AES-256-GCM encryption in your browser
- ·Encryption key generated locally
- ·We never see your unencrypted data
- ·Uses Web Crypto API for security
Zero-Knowledge Architecture
The decryption key never leaves your device.
- ·Key stored in URL fragment (#)
- ·Fragments are never sent to servers
- ·Only you and the recipient have the key
- ·Impossible for us to decrypt your secrets
One-Time Access
Secrets are automatically deleted after viewing.
- ·Deleted immediately after first view
- ·No way to recover once viewed
- ·Perfect forward secrecy
- ·Links become invalid after use
Automatic Expiration
All secrets expire automatically for security.
- ·Maximum 7-day lifetime
- ·Deleted even if never viewed
- ·No permanent storage
- ·Reduces attack surface
What We Store
Transparency about our data handling.
What we store
- · Encrypted ciphertext (unreadable without your key)
- · Initialization vector (public, needed for decryption)
- · Expiration timestamp
- · Random secret ID
What we never store
- · Your original secret text
- · The decryption key
- · Your IP address or personal information
- · Any tracking cookies or analytics
Security Process
Step-by-step breakdown of how your secrets stay secure.
- 01
You enter your secret
Type your password, API key, or sensitive message.
- 02
Browser generates encryption key
A random 256-bit AES key is created in your browser.
- 03
Secret is encrypted locally
Your secret is encrypted using AES-256-GCM in your browser.
- 04
Encrypted data is stored
Only the encrypted ciphertext is sent to our servers.
- 05
Secure link is generated
The decryption key is embedded in the URL fragment (#).
- 06
Recipient decrypts in browser
The secret is decrypted client-side and immediately deleted.
Trust Through Transparency
Our zero-knowledge architecture means we literally cannot read your secrets, even if we wanted to. The encryption happens in your browser, and the decryption key never leaves your device.