SECURITY

Simple security model.

CaskVeil creates one encrypted vault file. Encryption happens client-side before the file is saved or exported.

Client-side encryption

Vault content is encrypted in the browser using the Web Crypto API.

No vault database

The core flow does not store readable vault data on a server.

User-owned file

You download and store the encrypted .cloak file yourself.

What CaskVeil should not receive

  • Readable vault content
  • Your master password
  • Decrypted custom sections
  • Private notes, documents, contacts, or credentials

What you still need to protect

  • Use a strong unique password
  • Keep safe backups of your .cloak file
  • Do not unlock vaults on untrusted devices
  • Clear the session after viewing sensitive content

Important limitation

CaskVeil cannot recover a lost password. That is part of the security tradeoff: only the correct password can unlock the encrypted vault file.

Create Blank Vault Open Existing Vault