Security
Every cryptographic claim on this page is auditable in the open-source code. Here is exactly what StenVault does — and why.
Zero-knowledge
The server only ever sees encrypted bytes. Filenames, file content, and encryption keys stay on your device.
File content and filenames are encrypted on your device before they reach our servers. We never hold plaintext or decryption keys.
Login uses the OPAQUE protocol (RFC 9807). Your password never leaves your device, and no password hash is stored on the server.
The full client is public on GitHub. Every cryptographic claim on this page is verifiable in the source code.
Post-quantum strength
NIST defines five security levels for post-quantum algorithms. Most implementations choose Level 1, equivalent to AES-128. StenVault uses Level 3, equivalent to AES-192, in a hybrid construction with X25519.
| Algorithm | NIST Level | Equivalent strength | Status |
|---|---|---|---|
| ML-KEM-512 / Kyber-512 | Level 1 | ≈ AES-128 | Available |
| ML-KEM-768 | Level 3 | ≈ AES-192 | In use |
| ML-KEM-1024 | Level 5 | ≈ AES-256 | Available |
StenVault combines ML-KEM-768 with X25519 in a true hybrid KEM. An attacker must break both to compromise your files. If ML-KEM-768 has an undiscovered weakness, X25519 still protects you. If X25519 falls to quantum computers, ML-KEM-768 still protects you. No single point of cryptographic failure.
| Primitive | Classical | Post-quantum | Purpose |
|---|---|---|---|
| Key encapsulation | X25519 ECDH | ML-KEM-768 (FIPS 203) | Per-file key wrapping |
| Digital signatures | Ed25519 | ML-DSA-65 (FIPS 204) | File integrity |
| Password auth | OPAQUE (RFC 9807) | — | Zero-knowledge login |
| File encryption | AES-256-GCM | — | Content encryption |
| Key derivation | Argon2id (46 MiB, t=1, p=1) | — | Password → KEK |
| File format | CVEF v1.4 (container v2) | — | AAD-bound envelope |
The security whitepaper documents algorithms, parameters, data flows, and design rationale with direct citations to the source code.
How we test
Every cryptographic primitive is tested against authoritative reference implementations, not just internal unit tests.
Every cryptographic primitive is tested against authoritative reference vectors from Google's Project Wycheproof (AES-256-GCM, X25519, Ed25519, HKDF-SHA256, AES Key Wrap), NIST FIPS 203 and 204 for ML-KEM-768 and ML-DSA-65, and RFC 9106 and 3394 for Argon2id and AES-KW. The same suites used by OpenSSL and BoringSSL.
Five primitives are tested across two independent codebases that must agree on every output: @stenvault/pqc-wasm vs @noble/post-quantum for ML-KEM-768 and ML-DSA-65, WebCrypto vs @noble/curves for X25519 and Ed25519, and WebCrypto vs Node.js crypto for AES-256-GCM.
40 property-based tests generate thousands of random inputs per primitive using fast-check, verifying universal invariants — encrypt-then-decrypt roundtrips, signature verify-after-sign, KEM shared-secret agreement — without relying on hardcoded expected values.
Questions
5 GB free, post-quantum encrypted from day one. No credit card.
No credit card · 5 GB free forever