Security

Bank-Grade Encryption for Your Digital Life

Zero-Knowledge Architecture

ByteGuard is built on a zero-knowledge security model. We never see, access, or store your encryption keys.

  • Master Password: Your personal key to unlock the app. Never transmitted, never stored remotely.
  • Secret Key: A 12-word recovery phrase (BIP39) generated when you create your vault. Combined with your Master Password for maximum security.
  • Local Key Derivation: Argon2id with 64MB memory cost and 3 iterations derives your master key locally. HKDF-SHA256 creates the key hierarchy.
  • No Backdoors: We cannot recover your data if you lose both your Master Password and Secret Key. This is by design.

Encryption Details

Multiple layers of encryption protect every piece of sensitive data.

  • Field-Level Encryption: Each sensitive field (passwords, card numbers, API keys) is individually encrypted with AES-256-GCM.
  • Key Hierarchy: Master Key → Key Encryption Key (KEK) → Data Encryption Key (DEK). Each item has its own DEK.
  • Unique IVs: Every encryption operation uses a unique initialization vector, ensuring identical plaintext produces different ciphertext.

Data Storage

Your data stays on your device. Cloud sync is optional and always encrypted.

  • Local First: All data is stored in an encrypted local database on your device.
  • Optional iCloud Sync: When enabled, data is encrypted on-device before uploading to your private iCloud container via CloudKit.
  • Biometric Protection: Face ID and Touch ID via the Secure Enclave. Biometric data is handled by iOS, never accessed by the app.

What We Cannot Do

Our zero-knowledge architecture means:

  • We cannot view, access, or decrypt your stored data
  • We cannot reset your Master Password
  • We cannot recover your vault without your Secret Key
  • We cannot share your data with anyone — including law enforcement
  • We cannot insert backdoors into the encryption

Device Security Compatibility

ByteGuard is designed to work seamlessly with Apple's built-in security features.

  • Apple Lockdown Mode: Fully compatible with Apple's highest security protection. All features — including AutoFill, iCloud sync, and widgets — work normally when Lockdown Mode is enabled.
  • No WebView Dependency: ByteGuard does not use any web rendering engine. Your vault data is never processed through WebKit, eliminating an entire class of browser-based attack vectors.
  • Secure Enclave Integration: Biometric authentication is handled entirely by the iOS Secure Enclave. ByteGuard never accesses or stores biometric data.
Download on the App Store