Zero-Knowledge Encryption

How your data stays private

Overview

Heimlane Vault uses zero-knowledge encryption, meaning your data is encrypted on your device before it ever reaches our servers. We cannot read your passwords, and neither can anyone else.

What Zero-Knowledge Means

Zero-knowledge means Heimlane has zero knowledge of your:

  • Master password
  • Encryption keys
  • Vault contents (passwords, notes, files)

Even if our servers were compromised, attackers would only find encrypted data that’s useless without your master password.

How It Works

Encryption Process

  1. You enter your master password
  2. Key derivation: Your password is transformed into encryption keys using PBKDF2-SHA256 (100,000+ iterations)
  3. Local encryption: Your vault data is encrypted with AES-256 on your device
  4. Secure transmission: Only encrypted data is sent to our servers
  5. Encrypted storage: Data remains encrypted at rest on our servers

Decryption Process

  1. You log in with your master password
  2. Encrypted data is downloaded to your device
  3. Local decryption: Your device uses your keys to decrypt
  4. Plain text only exists in your device’s memory

Technical Details

ComponentTechnology
Key derivationPBKDF2-SHA256
Symmetric encryptionAES-256-CBC
Asymmetric encryptionRSA-2048 (for sharing)
HashingSHA-256
TransportTLS 1.3

What We Can See

Heimlane can see:

  • Your email address
  • Account metadata (creation date, last login)
  • Encrypted data blobs
  • Usage statistics (number of items, not contents)

Heimlane cannot see:

  • Your master password
  • Your vault contents
  • Individual passwords or notes
  • Attachment contents

Benefits of Zero-Knowledge

  1. No insider threats - Heimlane employees can’t access your data
  2. Breach protection - Stolen server data is useless without your password
  3. Legal protection - We can’t be compelled to reveal data we can’t access
  4. True privacy - Your secrets remain yours

The Trade-off

Zero-knowledge means we cannot help you if you forget your master password:

  • There’s no “forgot password” reset
  • We cannot decrypt your data for you
  • Recovery is only possible with your master password hint or recovery options you’ve set up

This is a feature, not a bug. It’s the only way to guarantee your privacy.

Verification

You don’t have to trust our claims. Vault is built on open-source foundations:

  • Client code is open source
  • Encryption can be audited
  • Security researchers regularly review our implementation

Tips

  • Use a strong, unique master password you can remember
  • Set up a password hint that only you understand
  • Configure emergency access for account recovery scenarios
  • Keep local backups of critical information
Back to Vault Help