Security

Security you can verify

Every cryptographic claim on this page is auditable in the open-source code. Here is exactly what StenVault does — and why.

Zero-knowledge architecture

The server only ever sees encrypted bytes. Filenames, file content, and encryption keys stay on your device.

Server stores only ciphertext

File content and filenames are encrypted on your device before they reach our servers. We never hold plaintext or decryption keys.

Passwords never transmitted

Login uses the OPAQUE protocol (RFC 9807). Your password never leaves your device, and no password hash is stored on the server.

Open source under GPL-3.0

The full client is public on GitHub. Every cryptographic claim on this page is verifiable in the source code.

Post-quantum cryptography, explained

NIST defines five security levels for post-quantum algorithms. Most implementations choose Level 1, equivalent to AES-128. StenVault uses Level 3, equivalent to AES-192, in a hybrid construction with X25519.

AlgorithmNIST LevelEquivalent strength
ML-KEM-512 / Kyber-512Level 1≈ AES-128
ML-KEM-768Level 3≈ AES-192
ML-KEM-1024Level 5≈ AES-256

StenVault combines ML-KEM-768 with X25519 in a true hybrid KEM. An attacker must break both to compromise your files. If ML-KEM-768 has an undiscovered weakness, X25519 still protects you. If X25519 falls to quantum computers, ML-KEM-768 still protects you. No single point of cryptographic failure.

The full cryptographic stack

Standardized, peer-reviewed primitives. Every layer uses a NIST- or IETF-standardized algorithm.

PrimitiveClassicalPost-quantumPurpose
Key encapsulationX25519 ECDHML-KEM-768 (FIPS 203)Per-file key wrapping
Digital signaturesEd25519ML-DSA-65 (FIPS 204)File integrity
Password authOPAQUE (RFC 9807)Zero-knowledge login
File encryptionAES-256-GCMContent encryption
Key derivationArgon2id (47 MiB, t=1, p=1)Password → KEK
File formatCVEF v1.4 (container v2)AAD-bound envelope

Want every cryptographic detail?

The security whitepaper documents algorithms, parameters, data flows, and design rationale with direct citations to the source code.

Read the whitepaper

Verify it in the source

Every claim on this page is backed by a file in the public repository.

CVEF v1.4 file format

packages/shared/src/platform/crypto/cvef.ts

Hybrid PQC file encryption

apps/web/src/lib/hybridFileCrypto.ts

Full source repository

GPL-3.0 licensed, open for audit

Verified, not just claimed

Every cryptographic primitive is tested against authoritative reference implementations, not just internal unit tests.

Validated against industry standard test vectors

Every cryptographic primitive is tested against authoritative reference vectors from Google's Project Wycheproof (AES-256-GCM, X25519, Ed25519, HKDF-SHA256, AES Key Wrap), NIST FIPS 203 and 204 for ML-KEM-768 and ML-DSA-65, and RFC 9106 and 3394 for Argon2id and AES-KW. The same suites used by OpenSSL and BoringSSL.

Cross-implementation differential testing

Five primitives are tested across two independent codebases that must agree on every output: @stenvault/pqc-wasm vs @noble/post-quantum for ML-KEM-768 and ML-DSA-65, WebCrypto vs @noble/curves for X25519 and Ed25519, and WebCrypto vs Node.js crypto for AES-256-GCM.

Property-based fuzzing

40 property-based tests generate thousands of random inputs per primitive using fast-check, verifying universal invariants — encrypt-then-decrypt roundtrips, signature verify-after-sign, KEM shared-secret agreement — without relying on hardcoded expected values.

Frequently asked

What is hybrid post-quantum cryptography?
Hybrid post-quantum cryptography combines a classical algorithm (X25519) with a post-quantum algorithm (ML-KEM-768), so an attacker must break both to compromise the shared secret. StenVault combines the two shared secrets using HKDF-SHA256 to derive a single file-encryption key. This protects against current attacks on the classical side and future quantum attacks on it, without relying on the post-quantum algorithm alone — important because post-quantum standards are newer and have had less time under peer review than classical cryptography.
Why Level 3 and not Level 5?
NIST defines five post-quantum security levels. Level 1 is roughly equivalent to AES-128, Level 3 to AES-192, and Level 5 to AES-256. StenVault uses ML-KEM-768 (Level 3) because it provides a strong margin over Level 1 — where most post-quantum deployments currently sit — while keeping keys and ciphertexts small enough for fast file upload and key wrapping. Level 5 would add another margin at the cost of larger keys and slower operations, with no credible near-term threat that Level 3 would fail to stop.
Has StenVault been audited?
StenVault has not yet undergone a formal third-party cryptographic audit. In the absence of an audit, the transparency mechanism is the open-source code: every primitive, parameter, and data flow is visible under GPL-3.0 at github.com/StenVault/stenvault. The security whitepaper documents exact algorithms, parameters, and design rationale with direct links to the source files. An independent audit is planned as the user base grows.
What happens if a post-quantum algorithm is broken?
Because StenVault uses hybrid encryption, a break in ML-KEM-768 alone does not compromise your files. The classical X25519 component continues to protect the shared secret under its own security assumption, giving you time to migrate to a new post-quantum algorithm. The reverse is also true: if a quantum computer breaks X25519 first, ML-KEM-768 still protects you. This dual-protection property is the reason StenVault chose a true hybrid KEM over single-algorithm post-quantum.
Is AES-256 quantum-safe?
Yes. Grover's algorithm — the best-known quantum attack on symmetric ciphers — reduces the effective security of a symmetric key by roughly half, so AES-256 offers approximately 128 bits of post-quantum security, well above the threshold NIST considers secure. The NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) includes AES-256 alongside ML-KEM and ML-DSA for classified systems, confirming that AES-256 remains appropriate in a post-quantum world.
What is harvest-now-decrypt-later?
An adversary who cannot break today's encryption can still collect encrypted traffic and storage now, then decrypt it later, once a cryptographically relevant quantum computer exists. For sensitive long-lived data — legal documents, medical records, intellectual property, personal archives — encryption needs to be quantum-resistant today, not tomorrow. Deferring the upgrade until quantum computers arrive would be too late for data with a decade or more of confidentiality requirements. StenVault adopts post-quantum cryptography now so files encrypted today stay safe decades from now.
How does StenVault's encryption compare to other post-quantum providers?
The most visible comparison is Internxt, which states on its homepage: “Internxt uses AES-256 combined with post-quantum Kyber-512.” Based on this description, the two primitives operate at different layers — AES-256 for symmetric file encryption and Kyber-512 for key exchange. Neither backstops the other at the same cryptographic level.

StenVault uses a true hybrid KEM: ML-KEM-768 and X25519 both operate at the key-encapsulation level, and their shared secrets are combined via HKDF-SHA256 before deriving the file-encryption key. An attacker must break both to compromise the shared secret.

The NIST security level also differs. Internxt's own blog describes Kyber-512 as “roughly equivalent to AES-128” (NIST Level 1). StenVault uses ML-KEM-768, which is NIST Level 3 — roughly equivalent to AES-192.

Finally, StenVault includes post-quantum signatures (ML-DSA-65 + Ed25519 hybrid) for file integrity. Internxt has no documented post-quantum signature scheme.

Try it yourself

5 GB free, post-quantum encrypted from day one. No credit card.

Start free