Supervault is an offline, encrypted, on-device vault for your one-time passwords (2FA codes), passphrases, PINs, notes, and other short secrets. Everything is stored and encrypted locally on your device.
Anyone who wants full control of their data and would rather not trust a third-party cloud service to hold them. There is no account to create and nothing leaves your device unless you choose to export it.
No. There is no advertising, no analytics, no tracking pixels or SDKs, and no telemetry. There is nothing to track because there is no server. See our Privacy Policy for the details.
All cryptography uses libsodium, a widely used, audited cryptographic library. Your vault contents are encrypted with XChaCha20-Poly1305 (authenticated encryption). Your device password is stretched into a key with Argon2id and strong settings which is deliberately slow and memory-hard to resist brute-force attacks. All of this runs on your device; the keys never leave it.
The Master Key is the 256-bit key (32 random bytes from a cryptographically secure generator) that actually encrypts your vault. It is not derived from your password, so it carries the full 256 bits of entropy, far beyond what brute force can reach. It is the only thing that can decrypt your data if you lose your device, so save it somewhere safe. We never have it and cannot recover it for you.
It is shown to you as a 60-character recovery code (12 groups of 5 characters).
The device password is the password you choose to protect and unlock the vault on a specific device (optionally with Face ID or Touch ID). It is run through Argon2id to encrypt the Master Key locally so future unlocks work. It is separate from the Master Key itself, and we cannot recover it for you. On iOS the wrapped key lives in the Keychain, protected by the Secure Enclave where available and tied to your device passcode.
It is not used to encrypt your data but rather protect your Master Key on your device.
Backups are always encrypted with your Master Key. You can export an encrypted backup file and keep it wherever you like, or turn on automated iCloud backup. You need your Master Key to restore any backup. A backup password can be added as an extra wrapping layer that hides metadata and protects against tampering.
You need a backup file to read your data. Go to the Recovery page, select your backup file, and enter your Master Key (and/or backup password). It runs entirely in your browser, is read-only, and makes no network requests.
Because it is a single self-contained file, you can download it and keep a copy alongside your backups, so you can recover even if this website is ever down or the app is unavailable. It uses the same open cryptographic primitives (libsodium) as the app, so your backups are never locked to a single program.
Because encryption happens on your device and we hold no copy, a forgotten device password cannot be recovered by us. However, the Master Key you saved lets you restore access through the app or recovery page using a backup file.
As long as you have a backup (an exported file or iCloud) and your saved Master Key, you can restore your vault on a new device, or decrypt it directly with the offline Recovery page. Without both the backup and the Master Key, the data cannot be recovered, by you or by us. That is the point: only you hold the keys. Store your Master Key, and a copy of the Recovery page, somewhere safe and separate from your backup.