Built from the ground up
for hostile environments.
Our threat model assumes sophisticated adversaries โ state-level actors, well-funded attackers, and insider threats. Here's how we design against them.
End-to-End Encryption
All files are encrypted client-side using AES-256-GCM before they are transmitted to our servers. Your encryption keys never leave your device. We store only ciphertext.
Even if our servers were seized, the data would be mathematically useless without your key. We cannot decrypt your files. Law enforcement cannot compel us to decrypt your files. We simply do not have the keys.
- โAES-256-GCM authenticated encryption
- โKeys derived from your password using Argon2id
- โForward secrecy on all connections
- โNo plaintext ever transmitted or stored
Tor Hidden Service (.onion)
Your vault is accessed via a Tor hidden service โ a .onion address that routes traffic through the Tor anonymity network. This means your IP address is never revealed, even to our servers.
Tor hidden services also provide protection against server-side deanonymization. We cannot log your IP even if we wanted to, because Tor hidden services never receive the client's real IP address.
- โFull Tor circuit for every connection
- โServer IP address also protected
- โResistant to network-level surveillance
- โWorks with Tor Browser โ no configuration needed
Zero-Knowledge Authentication
We use a zero-knowledge password protocol (SRP โ Secure Remote Password). This means your password is never sent to our servers, even during login. We verify that you know your password without ever seeing it.
If our authentication database were compromised, an attacker would find no passwords โ not even hashed ones they could crack. We simply don't store them.
- โSRP-6a zero-knowledge password protocol
- โNo password hashes stored on server
- โResistant to server-side credential theft
- โNo password recovery possible โ by design
No-Log Policy
We do not log IP addresses, connection times, access patterns, or file metadata. Our systems are configured to avoid generating logs in the first place โ because logs that don't exist can't be subpoenaed.
This is not a policy we can be pressured to change retroactively. The architecture makes logging technically impractical for most sensitive data.
- โNo IP address logging
- โNo connection timestamp logging
- โNo file access pattern logging
- โNo metadata retained after operations complete
Offline Primary Storage & Encrypted Backups
Our primary storage tier is air-gapped and offline during normal operations. Data is only accessible during brief, audited synchronization windows. This means that even a successful server compromise yields only stale, encrypted data.
Backups are encrypted with independent keys and stored in separate physical locations. A compromise of one location does not compromise your data.
- โAir-gapped primary storage
- โRegular encrypted backups to separate locations
- โBackup keys independent of primary keys
- โBackup access requires multi-party authorization
A note on transparency
We believe in being honest about what we can and cannot protect against. No system is perfectly secure. If you are facing a sophisticated, well-resourced adversary, we recommend combining SealedCitadel with other operational security practices. Compartmentalize. Use Tor Browser. Minimize your digital footprint. We are one layer of a defense-in-depth strategy.