Security-First by Design
Learn how Arckeys uses advanced cryptography and a zero-knowledge architecture to keep your passwords, passkeys, and credit cards safe.
Zero-Knowledge Storage
All vault data is encrypted on your local device before being sent to our servers. We never have access to your encryption key, master secret, or cleartext credentials.
PBKDF2 Key Derivation
We use industry-standard password-based key derivation functions (PBKDF2) with SHA-256 and high iteration counts to derive your vault encryption keys safely from your master password.
AES-256-GCM Encryption
Vault items are encrypted using Advanced Encryption Standard (AES) with a 256-bit key in Galois/Counter Mode (GCM), providing both confidentiality and integrity verification.
End-to-End Encrypted Sync
Data is synchronized between your browser extensions and dashboard via TLS, but remains fully encrypted end-to-end. Sync payloads are never readable by third-party infrastructure.
Audit-Ready & Verified
Our core cryptographic packages and extension code are open-source. Anyone can audit our implementation, build from source, or check for backdoors.
Device Revocation & Auditing
Keep track of active sessions and authorized browser extensions. Revoke access to any device immediately if it's lost, stolen, or compromised.
Our Encryption Model
Arckeys treats authentication and encryption as separate scopes. When you sign in using passkeys (WebAuthn), you authenticate to the server. Underneath, a separate vault key is generated on your local device.
This key encrypts your credentials client-side using standard Web Crypto APIs. Even if our servers were compromised, your data remains secure and unreadable since the keys never leave your device.