Open app

Privacy & security

Four layers. Zero plaintext on our side.

Vitonomi's security promise is specific and testable: our infrastructure never sees plaintext data, metadata, or encryption keys.

Read the source

How your data is protected

Four layers of defence, end to end.

  • Dual-key derivation

    Your password runs through Argon2id with two salts. One derives the auth key (sent to the server). One derives the encryption key (never leaves your device).

  • Client-side encryption

    All data — credentials, emails, eventually photos — is encrypted on your device before it reaches a vault. Only ciphertext ever leaves your browser or CLI.

  • Confidential relay

    The vitonomi-mx SMTP relay processes inbound email in RAM only. Each alias has its own ML-KEM-768 public key; the relay encrypts on receive and holds zero plaintext on disk or in logs.

  • Post-quantum

    Every signature is ML-DSA-65. Every key encapsulation is ML-KEM-768. Harvest-now-decrypt-later is out of scope.

Threat model at a glance

What each attacker can and cannot do.

Our full threat model is being published alongside the v1.0 release. Here is the short version.

  • Malicious vitonomi hub

    Worst case: we see encrypted head pointers, cluster membership graphs, and alias-to-pubkey mappings. We see zero plaintext records, zero encryption keys.

  • Malicious vault operator

    Vaults store opaque encrypted records they cannot decrypt. Content-addressing ensures they cannot substitute fake data without breaking retrieval.

  • Malicious relay

    The relay binary is open source and log-free. It encrypts to per-alias public keys in RAM. A compromised relay instance can read inbound mail in transit but cannot decrypt already-stored messages.

  • Lost password

    Recover from a BIP-39 seed phrase. Re-derive your keys, reconnect to your vaults, walk your signed snapshot chain. Full library reconstruction without any vendor.

Cryptographic choices

The primitives we rely on, in one place.

  • Password KDF: Argon2id, memory ≥ 256 MiB, run in a Web Worker — Grover-resistant at current parameters.
  • Symmetric AEAD: XChaCha20-Poly1305 with 256-bit keys. Grover halves effective security; 128-bit is still comfortable.
  • Signatures: ML-DSA-65 (post-quantum, NIST FIPS 204).
  • Key encapsulation: ML-KEM-768 (post-quantum, NIST FIPS 203).

Autonomi self-encryption is planned for v1.1 backup targets.

Trust, but verify.

The full cryptographic surface, byte layouts, and threat model live in the open repo under AGPL-3.0.

Read core/src/crypto on GitHub Read the data format