Trust nothing. Verify everything.

A working zero-knowledge system has receipts. Below is every cryptographic primitive Keevo uses, every key it derives, and every place plaintext could leak — annotated, sourced, and reproducible.

Threat model

What we can — and cannot — protect against.

Server compromise

An attacker steals our entire database. They get encrypted blobs, not plaintext. They cannot brute-force without your Secret Key.

Network adversary (MITM)

Pinned TLS plus authenticated ciphertext. A network attacker intercepting your sync sees noise, not credentials.

Phishing

AutoFill matches by exact origin, never by visual similarity. A phishing site at vletcombank.com cannot trick AutoFill.

Lost device

Vault encrypted at rest with a key derived from Master Password + Secret Key. A stolen iPhone with no biometric is useless.

Compromised endpoint

A device with active malware running as the user can read decrypted vault state. No password manager survives this — and we won't pretend otherwise.

Forgotten Master Password

Lose both Master Password AND Recovery Kit and the vault is unrecoverable. By design — that's what "we can't read your data" actually means.

Cryptographic stack

Boring, well-studied primitives.

Every primitive below is documented in a public RFC or peer-reviewed paper. We don't invent crypto — we wire well-known building blocks correctly.

Purpose	Primitive	Parameters	Reference
Symmetric encryption	XChaCha20-Poly1305	256-bit key, 192-bit nonce	RFC 8439 + IETF draft
Key derivation (Master Password)	Argon2id	m=1 GB · t=4 · p=2	RFC 9106
Key derivation (HKDF)	HKDF-SHA-256	Extract + Expand · 32-byte output	RFC 5869
Asymmetric (sharing)	X25519 + Ed25519	ECDH (encrypt) · EdDSA (sign)	RFC 7748 / 8032
Random source	getrandom() / SecRandom	OS CSPRNG	—
Transport	TLS 1.3 + cert pinning	Pinned to internal CA chain	RFC 8446
Password authentication (server)	HKDF verifier + HMAC-SHA-256	HKDF-isolated auth verifier · challenge-response	RFC 5869 / RFC 2104

Recovery

The Recovery Kit is the only way back.

When you sign up, Keevo generates a printable PDF holding your Secret Key, an emergency QR, and step-by-step instructions. Print it. Put it somewhere offline. We never see it.

recovery-kit.pdf · v1 print me

Account

tuan@keevo.dev

Secret Key

A4-9KZ-7FX-2BR-NMC-PLW-83Q

QR
code
here

Scan from another Keevo device to recover.
Generated 2026-04-12 · SHA-256:
9f a3 c1 ae 7c 55 f0 d2 18 6a 9e

Three things to know about Recovery.

The Recovery Kit is generated on your device. We never receive it. Losing it means losing access if you also forget your Master Password.
Pro accounts can pair a hardware key (YubiKey, SoloKey) as a second recovery factor — useful if you don't want a paper backup.
There is no "reset password" email. There is no support team that can decrypt for you. The math has to add up — and the only way it does is if you hold the keys.

Receipts

Audits, canaries, transparency.

Mar 2026

Cure53 cryptographic review

14-day engagement covering the Rust core, sync protocol, and recovery flow. 2 medium findings, both fixed and verified. Full report PDF + signed hash.

Read report (PDF) →

Updated weekly

Warrant canary

A signed statement at status.keevo.tuanle.dev/canary that says we've received zero NSL/gag-order requests. If it stops updating, you'll know what to assume.

Current canary →

Quarterly

Transparency report

Government requests received, complied with, refused. Q1 2026: 3 received, 0 produced plaintext (we don't have any to produce).

Q1 2026 report →

Found something?

We pay for security disclosures.

Up to $25,000 for vault-decryption findings. Coordinated disclosure, 90-day window, public credit if you want it.

Submit a finding