Security architecture that is serious without becoming theatrical.
OneLocked is built around a zero-knowledge model, modern encryption choices, and a Rust-backed platform that aims to keep sensitive work protected without turning every screen into a whitepaper.
The main ideas behind how OneLocked protects data.
These are the strongest product-level signals visible across the codebase and platform structure today.
Zero-knowledge design
OneLocked is built so your master password stays on your device and your vault contents remain outside our direct reach.
AES-256-GCM protection
Vault data is protected with AES-256-GCM, giving the platform a modern authenticated encryption foundation.
Argon2id key derivation
Account authentication and key derivation are built on Argon2id, a strong memory-hard approach for protecting credentials.
Per-item key model
The data model supports per-item encryption keys so protection is not treated like one giant undifferentiated blob.
Secure sharing path
Sharing flows are designed around encrypted item-key transfer instead of simply exposing plaintext to the server.
Audit-aware operations
Admin and collaboration workflows are backed by audit logging so sensitive activity is easier to review.
A calmer way to think about the security path.
From account setup to storage and sharing, the product is structured to keep sensitive material protected at each stage.
1. Account setup
Your login flow starts with a master password you control. Authentication and key derivation are designed to avoid handing raw secrets to the server.
2. Client-side protection
Sensitive vault data is protected before sync, and the storage model supports per-item keys for stronger compartmentalization.
3. Secure transit
Encrypted data moves through secure connections instead of being passed around as plaintext in normal application traffic.
4. Encrypted storage
Server-side systems store encrypted vault material, metadata, and operational records needed to keep the product working.
The server should not need your secrets to do its job.
That principle shapes how the product handles authentication, vault storage, admin tooling, and secure sharing.
We do not store your master password as a recoverable secret.
We do not keep plaintext vault contents sitting around on the server for convenience.
We do not treat admin tooling as permission to see another user’s secrets in the clear.
We do not rely on visual polish alone as a substitute for sound cryptographic design.