Skip to main content

Security You Can Trust

Zero-knowledge architecture means your secrets are encrypted before they leave your device. We can never see your data.

What is Zero-Knowledge Encryption?

Zero-knowledge encryption means that only you hold the keys to decrypt your data. Your master password never leaves your device. We store only encrypted blobs — if our servers were compromised, attackers would get nothing but indecipherable data.

Encryption Flow

Your Device

Master Password
PBKDF2 (600K iterations)
Encryption Key
AES-256-GCM Encrypt

CloudKeep Servers

Encrypted Blob
Stored Securely
TLS in Transit
Encrypted Data
AES-256-GCM Encrypt → Encrypted Data (your device encrypts, servers only store)

How We Protect Your Data

Multiple layers of encryption and access controls safeguard your secrets at every stage.

At Rest

  • AES-256-GCM encryption for all secret data
  • PBKDF2 with 600,000 iterations for key derivation
  • NaCl box for asymmetric encryption (sharing)
  • Argon2 for recovery key hashing

In Transit

  • TLS 1.3 for all connections
  • Certificate pinning for API clients
  • HMAC-signed webhooks
  • No plaintext secrets in API responses

Access Control

  • TOTP two-factor authentication
  • Device tracking and session management
  • Role-based vault permissions
  • Comprehensive audit logging

Our Security Practices

Security is not just a feature — it's embedded in everything we do.

Open Architecture

Our encryption protocols are based on well-studied, open standards. No proprietary algorithms.

Regular Audits

We conduct regular security audits and penetration testing.

Minimal Data Collection

We collect only what's necessary to provide the service. No tracking, no selling data.

Incident Response

Dedicated security team with documented incident response procedures.

Secure Development

All code goes through security review before deployment.

Bug Bounty

We welcome responsible security research. Report vulnerabilities and earn rewards.

Security FAQ

Common questions about how CloudKeep protects your data.

What happens if CloudKeep is breached?

Attackers would only get encrypted data. Without your master password, the data is useless. We use AES-256-GCM encryption which is considered unbreakable by current technology.

Can CloudKeep employees see my secrets?

No. We use zero-knowledge architecture. Your master password and encryption keys never leave your device. We literally cannot decrypt your data.

What if I forget my master password?

During onboarding, you receive a recovery key. This is the only way to recover your account. We recommend storing it in a physically secure location.

How are shared secrets protected?

We use NaCl public-key encryption. When you share a secret, it's re-encrypted with the recipient's public key. Only they can decrypt it.

Your Security is Our Priority

Start protecting your secrets with zero-knowledge encryption.

Get Started Free