Vestyn encrypts vault contents on your devices. The server stores ciphertext, account records, and sync metadata — enough to keep devices in step, not enough to read secrets.
Your master password never leaves your device. It is stretched locally into key material, then each vault item is sealed before upload. The server receives authenticated ciphertext plus the metadata needed for login, sharing, and sync.
On unlock, your master password and a per-account salt are processed locally with Argon2id. The derived key unwraps your account key, which in turn unlocks vault keys. Keys are held in memory only while needed; on macOS, Touch ID can release a Keychain-protected restore key without exposing biometric data to Vestyn.
Each item is serialized to JSON and sealed individually. Names, usernames, URLs, notes, and TOTP secrets live inside the encrypted payload. The server sees ids, vault membership, timestamps, nonces, and authenticated blobs; it does not receive the plaintext item fields.
Every vault has its own symmetric key. To share a vault, that key is wrapped to each member’s public key, so access is tied to cryptographic material as well as server-side membership. Revoking access should be paired with key rotation for future secrecy.
The server authenticates you with a verifier it cannot reverse into your password. Biometric unlock is handled by the operating system: Vestyn asks macOS to authorize access to Keychain-protected material after Touch ID succeeds. Vestyn never sees your fingerprint.
| The server sees | The server never sees |
|---|---|
| Encrypted item blobs Authenticated ciphertext and nonces | Master password Never transmitted, in any form |
| Item & vault ids Random identifiers for sync | Item contents Names, usernames, passwords, URLs, notes |
| Timestamps & sizes For sync and conflict handling | Decryption keys Derived and held on client devices |
| Account email For login and invites | TOTP secrets Sealed inside item ciphertext |
All client traffic should run over TLS to your instance — there is no Vestyn-operated cloud in the vault data path. At rest, the database stores ciphertext and operational metadata; encrypting volumes and backups is still recommended defense in depth.
The protocol and clients are open source under the AGPL-3.0 license. You can inspect the implementation, run your own server, and compare release notes and checksums before installing updates.