cloak.business

Zero-Knowledge Authentication

Last Updated: 2026-02-09

cloak.business uses a zero-knowledge authentication model. Your password never leaves your device -- not during sign-up, not during sign-in, not ever. Our servers verify your identity without ever seeing or storing your actual password.

What It Means#

In traditional authentication, your password is sent to a server where it is checked against a stored hash. If the server is compromised, attackers gain access to password hashes.

With zero-knowledge authentication, your password never travels over the network. The server has no knowledge of your password -- it only receives a cryptographic proof that you know it.

How It Works#

The process is designed to be invisible to you while providing significantly stronger security:

  1. You enter your password on your device.
  2. Your device derives a cryptographic key from your password using Argon2id -- a memory-hard key derivation function designed to resist brute-force attacks.
  3. Only the derived proof is sent to our servers. The password itself stays on your device.
  4. The server verifies the proof without ever learning your password.

This happens automatically every time you sign in. From your perspective, it feels like a normal login.

Encryption Keys#

Your password serves a second purpose beyond authentication: it is used to derive the encryption keys that protect your personal vault.

  • All sensitive data in your vault is encrypted with XChaCha20-Poly1305, an authenticated encryption algorithm.
  • The encryption key is derived from your password on your device.
  • The server stores only encrypted data -- it cannot decrypt your vault without your password.

This means your data is protected at rest even if our storage were accessed by an unauthorized party.

Recovery Phrase#

Because we never have access to your password, we cannot reset it for you. Instead, when you create your account, the system generates a 24-word recovery phrase.

This recovery phrase is the only way to recover your account if you forget your password.

  • It is displayed once during signup.
  • It is not stored on our servers.
  • It cannot be retrieved later.

How to Store Your Recovery Phrase#

  • Write it down on paper and store in a secure physical location.
  • Save it in a trusted password manager.
  • Do not store it in plain text on your device, in email, or in cloud notes.
  • Consider storing copies in two separate secure locations.

What We Store#

What We StoreWhat We Never Store
Cryptographic verification dataYour actual password
Encrypted vault dataDecryption keys
Account metadata (email, settings)Your recovery phrase

Our servers hold only the minimum data needed to verify your proof and store your encrypted information.

Why It Matters#

  • Database breach protection -- even if our database were compromised, your password remains safe because it was never stored.
  • No insider risk -- no employee or system at cloak.business can access your password.
  • End-to-end encryption -- your vault data is encrypted with a key derived from your password, which never leaves your device.
  • Compliance-friendly -- zero-knowledge architecture helps meet strict data protection requirements.

Important Reminders#

  • Save your 24-word recovery phrase immediately after signup. Without it, a forgotten password means permanent loss of access to your encrypted vault.
  • We cannot reset your password. There is no "forgot password" email flow that bypasses the recovery phrase.
  • Your password strength matters. Since the encryption key is derived from your password, a strong password directly strengthens your vault encryption.

SDK Client-Side Encryption#

The same zero-knowledge principles power our official SDKs. The ClientCrypto module provides true client-side encryption where keys never leave your device:

JavaScript/TypeScript#

import { ClientCrypto } from '@cloak-business/sdk';

// Generate a random encryption key (store securely!)
const key = await ClientCrypto.generateKey();

// Encrypt data locally before sending anywhere
const encrypted = await ClientCrypto.encrypt(key, 'sensitive data');

// Decrypt locally - key never transmitted
const decrypted = await ClientCrypto.decrypt(key, encrypted);

Python#

from cloak_business import ClientCrypto

# Generate a random key
key = ClientCrypto.generate_key()

# Encrypt locally
encrypted = ClientCrypto.encrypt(key, "sensitive data")

# Decrypt locally
decrypted = ClientCrypto.decrypt(key, encrypted)

Security Model:

  • AES-256-GCM encryption (same as platform authentication)
  • Keys are never transmitted to any server
  • All operations use the Web Crypto API (browser) or cryptography library (Python)
  • Compatible with offline/air-gapped environments

See the SDK Reference for complete documentation.

Frequently Asked Questions#

Can cloak.business read my encrypted data? No. Your vault is encrypted with a key derived from your password, which never leaves your device. We store only the encrypted form.

What happens if I forget my password and lose my recovery phrase? Your account and encrypted data become permanently inaccessible. We cannot recover them. This is the tradeoff of zero-knowledge architecture -- maximum security means we genuinely cannot bypass it.

Is my password sent during sign-in? No. Your device performs the Argon2id key derivation locally and sends only the resulting cryptographic proof.

Can I change my password? Yes. Changing your password re-derives your encryption keys on your device and updates the server-side verification data. You will need your current password or recovery phrase to do this.

Document maintained by cloak.business