Exactly how Lockbox protects your data. No hand-waving. No "military-grade" nonsense. Just facts.
All data at rest. NIST-approved. Authenticated encryption prevents tampering.
Master password to key. Memory-hard (32MB). Resists GPU and ASIC attacks.
Derives separate keys for vault, sync, and sharing from one master key.
Each item has its own random key, wrapped by the vault key. Compromise of one item does not expose others.
| Action | Data sent | Can we read it? |
|---|---|---|
| Normal use | Nothing | N/A |
| Whisper share | Encrypted ciphertext only | No. Key is in URL fragment. |
| Cloud sync (optional) | Encrypted blobs to YOUR iCloud/Google Drive | No. Encrypted before upload. |
Even if compelled by a government, subpoena, or court order, we cannot:
This is not a policy decision. It is a mathematical impossibility. We do not have the keys.
| Feature | Detail |
|---|---|
| Clipboard | Auto-cleared after 30 seconds |
| Auto-lock | Locks when app goes to background |
| Biometric unlock | Key stored in hardware secure enclave (not software) |
| Dead Man's Switch | Auto-wipe after 7/14/30 days of inactivity |
| Rate limiting | Progressive lockouts after 5/10/20 failed attempts |
Our encryption module is published on GitHub for anyone to audit. We use only proven, well-tested libraries (libsodium, SQLCipher). No hand-rolled cryptography.
We have not yet completed a formal third-party security audit. We are transparent about this. Our crypto module is open source precisely so that the community can inspect it. A formal audit will be funded from revenue and the results published here.
Found a vulnerability? Email security@lockboxnow.app