Security FAQ
StealthVault · How your data is encrypted and protected
How is my media encrypted?
Every photo and video is encrypted on your device with AES-256 before it is written to storage. Files on disk are ciphertext — nothing readable is ever stored. The encryption key exists only in memory while the vault is unlocked, and it is wiped the moment the vault locks.
How does my passcode unlock the vault?
StealthVault uses a two-key design. A random data key encrypts all your media; it is generated once and never leaves your device. Your passcode does not encrypt your media directly — instead it derives a separate key that wraps (encrypts) the data key.
When you unlock, your passcode reconstructs the wrapping key, which unlocks the data key, which decrypts your media. Your passcode itself is never stored anywhere — not on the device, not in the cloud.
Does changing my passcode re-encrypt all my files?
No. Because your passcode only protects the data key — not the media itself — changing it simply re-wraps that one small key under your new passcode. Your photos and videos are never touched, so the change is instant even with a large vault.
What happens if I forget my passcode?
Your data is unrecoverable. There is no backdoor, no recovery email, and no master key. This is by design — it is what makes the vault private. If you forget your passcode and have no biometric unlock enrolled, the encrypted data cannot be opened by anyone, including us.
Is biometric unlock (Face ID / fingerprint) safe?
Yes. When you enable biometrics, a copy of your data key is held in your device's hardware-backed secure storage (Secure Enclave on iOS, Keystore on Android) and released only after a successful biometric check by the operating system. We never see your biometric data — it never leaves the OS.
Is anything sent to the cloud?
No. StealthVault is offline-first. Encryption, decryption, and key handling all happen on your device. Device-to-device sync and the web portal transfer data directly over your local network — they do not pass through any server we control.
Do the ads track me?
The free version shows a single banner ad, but it is configured to request non-personalized ads only — we never ask for tracking permission, never use your device's advertising identifier to profile you, and the app declares "no tracking" in its iOS privacy manifest. The ad network only ever receives the coarse, anonymous context any web page sees (rough region and device type); it never receives your vault content or builds a profile of you. A paid subscription removes ads entirely.
What is the decoy vault?
You can set up a second vault with its own separate passcode. It has its own independent encryption key and its own content. Entering the decoy passcode opens the decoy vault while your real vault stays hidden — giving you plausible deniability if you are ever forced to unlock.
What can an attacker see if they steal my phone?
On a locked device they see only encrypted files and a passcode prompt. The decryption key is not present until you successfully unlock, and repeated wrong attempts are rate-limited. Keeping your device's own lock screen enabled adds a second layer of protection.
For the strongest protection against someone who can compel you to open the phone, we recommend:
- Use a different passcode for your real vault than the one that unlocks your device — so device access never reveals the vault.
- Set up a decoy vault with its own "easy" PIN. When you enable a decoy you choose which vault biometrics open — for the strongest protection, point Face ID / fingerprint at the decoy (you can change this later in settings).
- Keep your real vault on a passcode you only enter manually — don't point biometrics at it — so it can't be opened by a glance at your face or a forced fingerprint.
Do you have access to my files?
No. We have no server-side copy of your media and no access to your keys or passcode. Even if compelled, we have nothing to hand over — your data only exists, decryptable, on your unlocked device.
More
See our Privacy Policy and Terms. Questions? Email [email protected].