FyVault

How FyVault Protects Your Secrets

A high-level overview of how FyVault keeps your credentials safe — from creation to runtime injection.

The Secret Lifecycle

Your secrets follow a simple, secure path:

  1. 1You encrypt Secrets are encrypted in your browser before they ever leave your machine. FyVault never sees plaintext.
  2. 2We store ciphertext The FyVault cloud stores only encrypted blobs. Even with full database access, your secrets cannot be recovered.
  3. 3Your device decrypts When your server boots, the FyVault agent securely retrieves and decrypts your secrets on the device itself.
  4. 4Secrets are injected transparently Your application uses placeholder values. The agent replaces them with real credentials at runtime — your code never changes.

What Happens at Boot

When your server starts, a secure handoff takes place:

  1. 1The FyVault agent starts before your application
  2. 2It authenticates securely with the FyVault cloud using hardware-backed device authentication
  3. 3It receives and stores your encrypted secrets in a hardware-isolated kernel key store
  4. 4Your application starts — secrets are injected transparently at runtime

After boot, the cloud connection closes. Everything runs fully offline from that point — minimizing the attack window to seconds.

Why Your Secrets Are Safe

Client-side encryption

Your secrets are encrypted in your browser before upload. FyVault servers only ever see ciphertext — we literally cannot read your secrets.

Kernel-level isolation

On your server, secrets are stored in kernel memory that is inaccessible to application processes. Even if an attacker compromises your app, they cannot read the real credentials.

Boot-only cloud contact

The FyVault cloud is only involved for a few seconds during server boot. After that, everything runs offline. This minimizes the window for any network-based attack.

Hardware-backed device authentication

Only your registered servers — verified by hardware identity — can receive secrets. A stolen token alone is useless without the matching hardware.

Zero-Knowledge in Practice

Your secrets are encrypted in the browser using AES-256 encryption with a key derived from your vault passphrase using industry-standard key derivation. The FyVault cloud stores only ciphertext. Even with full database access, the plaintext cannot be recovered without the passphrase.

What the server stores

DKj3mR1x9QbN7Hf2kL5pW8vE...

Ciphertext. Useless without passphrase.

What you see

sk-proj-your-actual-key

Decrypted in your browser only.

Want the full technical details?

For detailed cryptographic design, key management architecture, and security audit results, request our Security Whitepaper.

Request Security Whitepaper →