Security
Built so even we can't open it.
No master keys held in reserve. No secret way to decrypt your data. The architecture itself is the promise — here's exactly how it works.
Argon2idMemory-hard key derivation
AES-256-GCMOn-device vault encryption
3-of-5Shamir threshold recovery
How it works.
In one paragraph: your passphrase goes through Argon2id to derive a key that encrypts your vault with AES-256-GCM, on your device. The ciphertext is what we store. The key never leaves you. To recover for your family, we split that key into five sealed pieces — three of them, plus a 14-day hold, are needed to put it back together.
| Layer | Choice | Why |
|---|---|---|
| Key derivation | Argon2id (RFC 9106), 64 MiB, 3 iterations | Best-in-class against GPU brute-force; OWASP recommended |
| Symmetric cipher | AES-256-GCM | Authenticated; standard; constant-time on modern hardware |
| Key splitting | Shamir's Secret Sharing (3-of-5) | Each holder learns nothing alone; any three reconstruct |
| Holder envelope | Curve25519 NaCl box (X25519 + XSalsa20-Poly1305) | Each share is sealed to a holder's individual key |
| Recovery phrase | BIP39 24-word | Industry-standard; word lists are public; can be written on paper |
| Transport | TLS 1.3 only | No legacy ciphers, no opt-out |
The release engine, in detail.
- You pick five trusted humans when you set up. They each install Lyfos and verify their key holder identity.
- Your vault key is split into five pieces. Each piece is sealed to one holder's individual public key. No piece alone reveals anything about the key.
- If you die, your nominee opens a claim with a death certificate. Our team reviews it manually. Once approved, three of your holders are asked to release their share.
- The moment three shares arrive, a 14-day owner-protection hold begins. You receive alerts every day, on email, SMS, WhatsApp, and push notification. One tap aborts everything.
- If the hold expires without abort, your nominee can finally combine the three shares on their device and decrypt the emergency bundle. The vault stays sealed if anything breaks the chain.
What we cannot do.
- We cannot read your vault. Not on a subpoena, not for a customer support ticket, not for our own founder.
- We cannot recover your vault if you lose both your passphrase and your recovery phrase. By design.
- We cannot bypass the 14-day hold. Even for a verified nominee with a real death certificate. The hold is the owner-protection guarantee.
- We cannot defend against a compromised device. If your phone is rooted or your laptop is keylogged, an attacker who has your passphrase wins. Use a password manager. Use Face ID.
Audits & trust artefacts.
| Artefact | Status |
|---|---|
| Independent security audit | Pre-launch. Report + remediation will be published. |
| Cryptographic protocol review (academic) | Engaged. |
| Threat model | Public |
| Responsible disclosure policy | Published |
| Bug bounty | Up to ₹3,00,000 per finding |
| Cyber liability insurance | In procurement. Aggregate target ₹5-7 crore. |
| DPDPA grievance officer | grievance@lyfos.signorvale.com |
| Sub-processor list | Public |
| Status page | lyfos.signorvale.com/status |
Report a vulnerability.
Email security@lyfos.signorvale.com with details. PGP key at /.well-known/pgp-key.txt. First response within 4 hours for critical findings.