Security

Security you can verify

Every cryptographic claim on this page is auditable in the open-source code. Here is exactly what StenVault does — and why.

Zero-knowledge architecture

The server only ever sees encrypted bytes. Filenames, file content, and encryption keys stay on your device.

Server stores only ciphertext

File content and filenames are encrypted on your device before they reach our servers. We never hold plaintext or decryption keys.

Passwords never transmitted

Login uses the OPAQUE protocol (RFC 9807). Your password never leaves your device, and no password hash is stored on the server.

Open source under GPL-3.0

The full client is public on GitHub. Every cryptographic claim on this page is verifiable in the source code.

Post-quantum cryptography, explained

NIST defines five security levels for post-quantum algorithms. Most implementations choose Level 1, equivalent to AES-128. StenVault uses Level 3, equivalent to AES-192, in a hybrid construction with X25519.

Algorithm	NIST Level	Equivalent strength
ML-KEM-512 / Kyber-512	Level 1	≈ AES-128
ML-KEM-768	Level 3	≈ AES-192
ML-KEM-1024	Level 5	≈ AES-256

StenVault combines ML-KEM-768 with X25519 in a true hybrid KEM. An attacker must break both to compromise your files. If ML-KEM-768 has an undiscovered weakness, X25519 still protects you. If X25519 falls to quantum computers, ML-KEM-768 still protects you. No single point of cryptographic failure.

The full cryptographic stack

Standardized, peer-reviewed primitives. Every layer uses a NIST- or IETF-standardized algorithm.

Primitive	Classical	Post-quantum	Purpose
Key encapsulation	X25519 ECDH	ML-KEM-768 (FIPS 203)	Per-file key wrapping
Digital signatures	Ed25519	ML-DSA-65 (FIPS 204)	File integrity
Password auth	OPAQUE (RFC 9807)	—	Zero-knowledge login
File encryption	AES-256-GCM	—	Content encryption
Key derivation	Argon2id (47 MiB, t=1, p=1)	—	Password → KEK
File format	CVEF v1.4 (container v2)	—	AAD-bound envelope

Want every cryptographic detail?

The security whitepaper documents algorithms, parameters, data flows, and design rationale with direct citations to the source code.

Read the whitepaper

Verify it in the source

Every claim on this page is backed by a file in the public repository.

CVEF v1.4 file format

packages/shared/src/platform/crypto/cvef.ts

Hybrid PQC file encryption

apps/web/src/lib/hybridFileCrypto.ts

Full source repository

GPL-3.0 licensed, open for audit

Frequently asked

What is hybrid post-quantum cryptography?

Hybrid post-quantum cryptography combines a classical algorithm (X25519) with a post-quantum algorithm (ML-KEM-768), so an attacker must break both to compromise the shared secret. StenVault combines the two shared secrets using HKDF-SHA256 to derive a single file-encryption key. This protects against current attacks on the classical side and future quantum attacks on it, without relying on the post-quantum algorithm alone — important because post-quantum standards are newer and have had less time under peer review than classical cryptography.

Why Level 3 and not Level 5?

NIST defines five post-quantum security levels. Level 1 is roughly equivalent to AES-128, Level 3 to AES-192, and Level 5 to AES-256. StenVault uses ML-KEM-768 (Level 3) because it provides a strong margin over Level 1 — where most post-quantum deployments currently sit — while keeping keys and ciphertexts small enough for fast file upload and key wrapping. Level 5 would add another margin at the cost of larger keys and slower operations, with no credible near-term threat that Level 3 would fail to stop.

Has StenVault been audited?

StenVault has not yet undergone a formal third-party cryptographic audit. In the absence of an audit, the transparency mechanism is the open-source code: every primitive, parameter, and data flow is visible under GPL-3.0 at github.com/StenVault/stenvault. The security whitepaper documents exact algorithms, parameters, and design rationale with direct links to the source files. An independent audit is planned as the user base grows.

What happens if a post-quantum algorithm is broken?

Because StenVault uses hybrid encryption, a break in ML-KEM-768 alone does not compromise your files. The classical X25519 component continues to protect the shared secret under its own security assumption, giving you time to migrate to a new post-quantum algorithm. The reverse is also true: if a quantum computer breaks X25519 first, ML-KEM-768 still protects you. This dual-protection property is the reason StenVault chose a true hybrid KEM over single-algorithm post-quantum.

Is AES-256 quantum-safe?

Yes. Grover's algorithm — the best-known quantum attack on symmetric ciphers — reduces the effective security of a symmetric key by roughly half, so AES-256 offers approximately 128 bits of post-quantum security, well above the threshold NIST considers secure. The NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) includes AES-256 alongside ML-KEM and ML-DSA for classified systems, confirming that AES-256 remains appropriate in a post-quantum world.

What is harvest-now-decrypt-later?

An adversary who cannot break today's encryption can still collect encrypted traffic and storage now, then decrypt it later, once a cryptographically relevant quantum computer exists. For sensitive long-lived data — legal documents, medical records, intellectual property, personal archives — encryption needs to be quantum-safe today, not tomorrow. Deferring the upgrade until quantum computers arrive would be too late for data with a decade or more of confidentiality requirements. StenVault adopts post-quantum cryptography now so files encrypted today stay safe decades from now.

Try it yourself

5 GB free, post-quantum encrypted from day one. No credit card.

Start free