// Security

Don't trust us.
Verify us.

Zero-knowledge is a claim anyone can make. Here's how OpaqueVault proves it — at the protocol level, on the wire, and in your AI agent's context window. No source code required.

// Three provable guarantees

Encrypted at rest.
In transit.
In use.

Most security products prove two. The AI agent boundary is new. OpaqueVault is the only secret manager that proves all three.

01

At rest

The server stores only ciphertext. No plaintext values, no master passwords, no Key Encryption Keys. Every secret is encrypted with AES-256-GCM before it leaves your machine.

// Verify it yourself

Call the API directly. The response is always an encrypted blob — never a plaintext value. 

curl https://api.opaquevault.com/v1/secrets/MY_SECRET \
  -H "Authorization: Bearer $OV_API_KEY"

# Response:
{
  "name": "MY_SECRET",
  "ciphertext_b64": "7x9mK2...",
  "nonce_b64": "aB3cD4...",
  "dek_encrypted_b64": "xY8zQ1...",
  "dek_nonce_b64": "pL5mN6..."
}

No decrypt endpoint exists. The server cannot return a plaintext value — ever.

02

In transit

All traffic between ov mcp serve and api.opaquevault.com uses a post-quantum hybrid KEM — ML-KEM-768 + X25519. If either primitive is broken, the other protects you.

// Verify it yourself

Inspect the TLS handshake. The cipher suite includes ML-KEM-768 alongside X25519. 

openssl s_client \
  -connect api.opaquevault.com:443 \
  -groups X25519MLKEM768 2>&1 \
  | grep "Server Temp Key"

# Server Temp Key: X25519MLKEM768, 1216 bits

NIST FIPS 203 (ML-KEM-768). Implemented via cloudflare/circl. No X25519-only fallback.

03

In use with AI agents

This is the guarantee no other secret manager can make. When Claude Code calls vault_run, the raw MCP response contains exit codes and stdout — never the secret value. Here's the actual wire format.

// The actual MCP wire trace
→ Claude calls
{
  "method": "tools/call",
  "params": {
    "name": "vault_run",
    "arguments": {
      "command": "go run ./cmd/migrate",
      "secrets": ["DATABASE_URL"]
    }
  }
}
↓ ov mcp serve decrypts locally
← Claude receives
{
  "content": [{
    "type": "text",
    "text": "exit_code: 0\nstdout: migrations: 3 applied\nstderr: "
  }]
}

# DATABASE_URL never appeared. Not once.

Enable MCP debug logging in Claude Code and capture this yourself.

// Active enforcement

The guarantee is
unconditional.

Even if you accidentally paste a raw secret into Claude Code, the MCP context interceptor catches it before the model sees it. Zero-knowledge isn't just how the vault works — it's enforced at the channel level.

The interceptor runs inside ov mcp serve, scanning every message for known secret patterns — AWS keys, GitHub tokens, Stripe keys, private keys, connection strings, high-entropy blobs. A match triggers a block and an audit log entry.

Read the interceptor docs →
claude code session
You Here's the connection string for debugging: postgres://admin:[email protected]/app
[interceptor] scanning message...
Potential secret intercepted (postgres-dsn) . Message blocked.
Store this value with ov secret set DATABASE_URL
# Logged to audit trail. Claude never saw the value.
// The cryptographic stack

Every primitive.
Justified.

No black boxes. Every algorithm choice has a reason.

Primitive
Used for
Why
Argon2id time=1, mem=64MB
Master password → KEK derivation
Memory-hard. Resistant to GPU and ASIC brute-force. PHC winner. The id variant combines side-channel resistance with GPU resistance.
AES-256-GCM random nonce per op
DEK encryption (KEK wraps DEK) + secret encryption (DEK wraps plaintext)
NIST standard. Authenticated encryption — integrity guaranteed. 256-bit keys. Nonces from crypto/rand, never reused.
ML-KEM-768 NIST FIPS 203
Transport key encapsulation (post-quantum half of hybrid)
Lattice-based KEM. Resistant to quantum attacks. NIST security level III (~AES-192). Part of the mandatory hybrid — no fallback.
X25519 Curve25519
Transport key exchange (classical half of hybrid)
Fast, side-channel resistant, widely audited elliptic curve DH. Paired with ML-KEM-768 — if quantum computers break ML-KEM, X25519 still holds classically.
HMAC-SHA256
Audit log secret references
Secret IDs in logs are hashed with a server-side key. The log proves access without revealing which secret was accessed to someone without the HMAC key.
BLAKE3
API key hashing
Fast, secure hash for storing API key fingerprints. Plaintext key shown once at creation, never stored — only the BLAKE3 hash lives in the database.
// Multi-app namespacing — zero-knowledge unchanged

Apps and environments
are metadata only.

OpaqueVault scopes secrets by app / environment / name — so my-saas/production/DATABASE_URL and side-project/dev/DATABASE_URL can coexist without collision.

App and environment names are metadata stored alongside the encrypted blob. They are not key material and play no role in encryption or key derivation. The zero-knowledge guarantee is identical whether you have one app or twenty: the server stores (ciphertext, nonce, encrypted_DEK, DEK_nonce) — useless without the user's master password.

Layer
Stored as
Visible to server?
app name
Plaintext metadata
Yes — contains no secret material
environment name
Plaintext metadata
Yes — contains no secret material
secret name
Plaintext metadata
Yes — name only, value encrypted
secret value
AES-256-GCM ciphertext
Never
// Building trust over time

The audit roadmap.

Architectural proofs get you started. Third-party validation is how you scale trust.

Live at launch

API schema published

The full API response schema is public. Anyone can call the API and inspect the encrypted blob format. The absence of a decrypt endpoint is verifiable.

Live at launch

MCP wire traces published

Real Claude Code session traces showing the exact MCP JSON — tool call in, exit code out, no secret value anywhere in the wire format.

Live at launch

TLS cipher suite published

The exact cipher suite used on api.opaquevault.com is documented and verifiable with standard TLS inspection tools.

Q3 2026

Third-party security audit

Independent review of the cryptographic implementation, key derivation, and zero-knowledge architecture by a named security firm. Full report published.

Q4 2026

Bug bounty program

Invite the security research community to find vulnerabilities. Rewards for valid findings. Responsible disclosure policy published.

2027

SOC 2 Type II

Process-level assurance for enterprise buyers. Controls covering security, availability, and confidentiality. Report available to enterprise customers under NDA.

// Responsible disclosure

Found a vulnerability?

Email [email protected]. We'll respond within 48 hours. Please give us reasonable time to fix before public disclosure. We don't pursue legal action against good-faith researchers.

PGP key for encrypted reports
Fingerprint: coming soon — published before launch

Zero-knowledge.
Provably.

Start free. No credit card required.
Verify every guarantee yourself before you commit.

Create free account Read the security docs