How does PingVaults protect my digital assets?

Your asset clues are encrypted in your browser using AES-256-GCM. The encryption key is derived from your personal question answers via PBKDF2. The server only ever receives ciphertext and can never read your data.

What is an Inactivity Switch?

An inactivity switch is an automatic trigger mechanism. The system sends periodic check-in emails. If you stop responding, it automatically delivers decryption hints to your pre-configured emergency contacts, ensuring your digital estate is passed on.

Can I access my data if PingVaults shuts down?

Yes. All encrypted data is permanently stored on the Arweave blockchain, accessible forever via TxID. We also provide a standalone offline HTML decryptor that works without any network connection or account.

./security_model.md

How We Protect Your Data

Not a promise — math. This page explains PingVaults' zero-knowledge architecture, and why even if we wanted to "act maliciously", we couldn't.

// core commitment

You don't have to trust us.
Encryption happens in your browser. Your keys never leave your device.
Our servers only store ciphertext they can never unlock.
Even if we disappear tomorrow, your data lives forever on Arweave.
Even if we wanted to act maliciously — there's nothing to steal.
This isn't a promise. It's math.

// data_flow[]

Data Flow (Where Your Answers Go)

You enter your passphrase answersIn Browser

Answers exist only in browser memory. They are never logged, cached, or persisted anywhere.

normalizeInput() standardizes your answersIn Browser

Strips spaces, lowercases, converts full-width characters — so 'Alice' and 'alice' always derive the same key. Runs entirely in the browser.

PBKDF2-SHA256 key derivation (600,000 iterations)In Browser

Answers are fed through PBKDF2 with a random salt to derive an AES-256 key. The key material never leaves the browser.

AES-256-GCM encryptionServer-side

Your vault content is encrypted with the derived key, producing ciphertext. Answers and key are then discarded from memory.

Ciphertext uploaded to server + ArweaveServer-side

The server receives only ciphertext, salt, IV, and key schema (field types and question text). Answers are never in the request body.

Decryption: answers re-derive the key in the browserIn Browser

When reading, ciphertext is downloaded from Arweave and decrypted locally using the re-entered answers. The server is never involved in decryption.

// server_access_table[]

What the Server Can and Cannot See

✓ Server can see

✗ Server can NEVER see

✓Encrypted ciphertext (unreadable without key)

✗Your passphrase answers

✓Random salt and IV (useless without the key)

✗The derived AES encryption key

✓Key field types (name, custom_question…)

✗Your vault content in plaintext

✓Custom question text (e.g. 'Favorite place?')

✗The answer to that question

✓Your email address (for login only)

✗Anything related to decryption keys

// open_source[]

Open Source Policy

📂 pingvaults-crypto ↗

The encryption core is fully open source (MIT), including complete test vectors and offline decryptor HTML files. Anyone can audit, run tests, and verify there are no backdoors.

MIT · crypto.ts · test vectors · offline decryptors

🔒 Main Repo (Proprietary)

UI, Inactivity Switch engine, API routes, and other business logic are proprietary. Even if this layer were compromised, the server only holds ciphertext it cannot decrypt.

UI · API · Inactivity Switch · DynamoDB

// faq[]

FAQ

Can PingVaults read my vault content?+

No. The server receives AES-256-GCM ciphertext that can never be decrypted without your answers. The encryption core is fully open source — anyone can audit it and confirm there are no backdoors.

What if PingVaults shuts down?+

Your data is permanently stored on the Arweave blockchain, accessible via TxID from any Arweave gateway (arweave.net, ar-io.dev, etc.) — no dependency on our servers. The offline decryptor HTML works entirely independently of this platform.

Does the offline decryptor depend on pingvaults.com?+

Not at all. It's a standalone HTML file with all crypto logic embedded. No external dependencies. Works offline. You can download it right now and verify it yourself.

Could you secretly send my answers in JavaScript?+

The page's Content-Security-Policy response header restricts the JS on this page to only make network requests to self, uploader.irys.xyz, arweave.net, and a few other listed origins. Any fetch() to an unlisted address is immediately blocked by the browser. You can verify this yourself in DevTools → Network → Response Headers.

Is the encryption strong enough?+

AES-256-GCM (authenticated symmetric encryption, industry standard) with PBKDF2-SHA256 at 600,000 iterations (OWASP 2023 recommendation). Salt and IV are freshly random for each encryption. Even with access to ciphertext and salt, brute-forcing a 256-bit key is computationally infeasible with current technology.

Transparent architecture. Auditable code. Permanent storage.

My Vault →View Verification Page →