Vault Encryption
Encrypt entire vaults with a passphrase. All content within is encrypted at rest and can only be decrypted by someone with the key. Even platform administrators cannot read encrypted vault content.
How it works
Enable encryption on any vault by setting a passphrase. The passphrase derives an encryption key that encrypts all vault content client-side before storage. To access the vault, you must provide the passphrase to derive the key. Without it, the content is unreadable. The encryption key never leaves your device and is never stored on the server.
Vault encryption setup with passphrase entry
Why it matters
Some knowledge is too sensitive for any third party to access, even the platform provider. Vault encryption ensures absolute privacy -- your data is encrypted before it leaves your device and can only be read with your key. This is essential for medical records, legal documents, financial information, and deeply personal memories.
Encrypted vault lock indicator in vault browser