What is Zero-Knowledge?
When you log in to most websites, your password travels over the internet to the server. Even though it's encrypted during travel, the server still sees your password.
With Zero-Knowledge, your password stays on YOUR device. Instead, we use smart math to prove you know the password without ever sending it.
Regular Login
You show your ID card to get into a building
Zero-Knowledge Login
You prove you know a secret handshake, but never reveal what it is
Why Use Zero-Knowledge?
Password Never Sent
Even if hackers watched your internet connection, they cannot steal your password because it never travels over the network.
We Cannot See It
Not even cloak.business staff can see your password. Your credentials remain completely private.
Better Protection
If our servers were ever compromised, your password would still be safe. We only store mathematical proofs, not passwords.
24-Word Recovery
You get special recovery words to regain access if you forget your password. No calling support - you control your account.
How It Works
Zero-Knowledge authentication in 4 simple steps
Create Password
You create a password on your device
Generate Secret Key
Your device creates a secret key from your password using special math
Send Proof
Only a mathematical proof is sent to us - never your password
Verify
We verify the proof - we can confirm it's you without seeing your password
It's like having a lock where you keep the only key, and we just check if your key works.
Your 24-Word Recovery Phrase
When you enable Zero-Knowledge, you receive 24 special words. These words are your master key to your account.
DO
- Write them down on paper
- Store the paper somewhere safe (like a locked drawer)
- Consider making a backup copy in a different safe place
DO NOT
- Take a photo of them
- Save them on your computer
- Send them by email or text
- Share them with anyone
Important
Without your recovery phrase, we CANNOT help you get back into your account. This is by design - Zero-Knowledge means we don't have access to your password or keys.
Technical Details
For the security-conscious
Argon2id + 6-Key Derivation
Your password and email produce a deterministic 16-byte Blake2b salt. Argon2id (64 MB, 3 iterations) derives a 64-byte master key. HKDF-Blake2b then derives 6 independent 32-byte keys: auth, data-encryption, key-encryption (KEK), recovery, verification, and session — each with a domain-specific context string.
Two Encryption Layers
Local vault (history, tokens, keys): AES-256-GCM with a key derived from your 24-word BIP39 recovery phrase via Argon2id. Server-synced data (presets, entities): XChaCha20-Poly1305 with a random 24-byte nonce, encrypted with your data key. The server holds ciphertext only.
No Password Storage
We never store your password in any form. We store only authKeyHash (SHA256 of a key derived from your password) — which cannot be reversed to recover the password.
Constant-Time Verification
Server-side hash comparisons use timing-safe equality to prevent timing attacks that could leak information about stored hashes.
Is This Right for You?
Best For
- ✦Organizations where administrators must be legally prevented from accessing user encryption keys (GDPR Art. 82, HIPAA)
- ✦Healthcare and financial institutions subject to key management compliance requirements (PCI-DSS, SOC 2)
- ✦Zero-trust architectures where no single party should hold both the data and its decryption key
- ✦Legal industry workflows where client privilege requires absolute technical confidentiality guarantees
Not Ideal For
- ✦Use cases requiring account recovery or key escrow (lost keys = permanently inaccessible data)
- ✦Small teams that need central administrator access to all encrypted data for support purposes
- ✦Organizations without a key management policy — ZK encryption adds operational responsibility
Frequently Asked Questions
Can cloak.business staff see my password?
No. That's the whole point of Zero-Knowledge! Your password is processed on your device. We only receive a mathematical proof, never the actual password.
What if cloak.business gets hacked?
Your password is still safe! Hackers would only find mathematical proofs, not passwords. Without your actual password, they cannot access your account.
Is Zero-Knowledge harder to use?
No! You won't notice any difference when logging in. The only extra step is saving your 24-word recovery phrase when you first set up your account.
Can I turn off Zero-Knowledge?
Zero-Knowledge is enabled by default for your protection. We recommend keeping it on for the best security.
What happens if I change my password?
When you change your password, your device creates new secret keys and you receive a new 24-word recovery phrase. Your old recovery phrase stops working, so save your new phrase immediately!