Disguised. Distributed. Zero-Trust. A secure, cross-device vault engineered with end-to-end encryption, recovery-safe key management, and stealth-first UX.
- Executive Summary
- Visuals & Media
- System Architecture
- Data Flow & Pipeline
- Technical Deep Dive
- Security Model (Zero Trust)
- Recovery & Key Management
- Performance & Metrics
- Model Outputs (Vault Data Structure)
- Developer Experience & Setup
Locker was engineered to solve a critical gap in consumer privacy tooling:
Secure storage exists, but usability, recovery, and cross-device trust are fundamentally broken.
-
Most vault apps:
- Rely on centralized trust models
- Have weak or non-existent recovery flows
- Expose themselves through obvious UI patterns
- Lack true cross-device cryptographic integrity
Locker introduces a zero-trust vault architecture with:
- π End-to-End Encryption (E2EE)
- π± Cross-device vault provisioning with cryptographic trust
- π Recovery-key based vault restoration (no password dependency)
- π§ Secure key lifecycle management
- πΆοΈ Stealth UX (calculator disguise)
- π Offline-first sync engine with deterministic reconciliation
- Eliminates single-point-of-failure (server or password)
- Enables secure multi-device access without weakening encryption
- Provides recoverability without compromising secrecy
- Reduces attack surface through UI obfuscation + local-first design
 |
 |
 |
 |
 |
See Locker in action β a zero-trust encrypted vault designed for secure, cross-device data storage.
Highlights
|
Highlights
|
Mobile App (React Native)
βββ Vault Engine (Encryption + Storage)
βββ Sync Engine (Offline-first)
βββ Key Manager (Device-bound keys)
βββ Stealth UI Layer (Calculator shell)
β
Backend API (Node.js + Fastify)
βββ Vault Metadata Service
βββ Key Envelope Store (Encrypted)
βββ Device Trust Registry
β
Database (PostgreSQL)
βββ Vault records
βββ Device mappings
βββ Sync state
User β Create Vault
β Generate Data Encryption Key (DEK)
β Encrypt DEK with User Key (KEK)
β Store encrypted vault locally
β Upload encrypted envelope to backend
Device A β Creates encrypted change set
β Uploads delta to backend
β Backend stores encrypted payload (opaque)
β Device B pulls updates
β Decrypts locally using keys
Recovery Key (offline)
β Derives user key
β Fetch encrypted vault envelope
β Decrypt DEK
β Restore vault locally
-
React Native
0.74+ -
State:
MobX -
Storage:
expo-secure-store(key storage)expo-sqlite(vault data)
-
Navigation:
React Navigation -
Crypto:
- Native modules for encryption (AES-GCM / secure RNG)
-
File Handling:
react-native-fs
- Node.js + Fastify
- Prisma ORM
- PostgreSQL
- Caddy (reverse proxy + TLS)
-
AES-256-GCM (data encryption)
-
Key Derivation:
- PBKDF2 / Argon2 (configurable)
-
Envelope Encryption Model:
Vault Data β encrypted with DEK DEK β encrypted with User Key (KEK) KEK β derived from recovery key / device key
Locker uses a lightweight on-device classification layer to determine item types:
- MIME type
- File signature (magic bytes)
- Extension heuristics
- Content scanning (for structured text)
if mime.startsWith("image/") β Image
elif mime == "application/pdf" β Document
elif structured_text_detected β Note
else β Binary File
-
Input normalization:
- File signature validation
- MIME correction
-
Preprocessing:
- Text extraction (if applicable)
- Encoding standardization
-
Heuristic tuning:
- Fallback classification layers
-
Continuous improvement:
- Logging misclassifications
- Updating detection rules
Locker enforces strict zero-trust principles:
- π« Backend never sees plaintext
- π Keys never leave device unencrypted
- π¦ Server stores only encrypted blobs
- π± Each device independently trusted
| Threat | Mitigation |
|---|---|
| Server breach | Data encrypted (E2EE) |
| Device compromise | Key isolation + secure storage |
| Network interception | TLS + encrypted payload |
| Account takeover | Recovery-key based model |
Recovery Key β User Key (KEK)
β decrypts DEK
β decrypts Vault Data
- β No password-based recovery
- β Recovery key = single source of truth
- β Prevents weak password attacks
- β‘ Optimized recovery flow latency
- Vault open latency: < 200ms
- Sync reconciliation: O(n delta-based)
- Encryption overhead: ~5β10% CPU
-
Unit tests:
- Encryption/decryption integrity
-
Integration tests:
- Sync consistency across devices
-
Edge case testing:
- Recovery on fresh device
- Partial sync states
- Near-instant vault access
- Minimal sync conflicts
- Reliable recovery without server trust
File: receipt.pdf
Size: 1.2MB
{
"id": "vault_item_01",
"type": "document",
"mime": "application/pdf",
"encrypted": true,
"createdAt": "2026-04-01T12:00:00Z",
"metadata": {
"size": 1200342,
"hash": "sha256:abc123..."
}
}git clone https://github.com/yourusername/locker
cd locker
pnpm installcd backend
cp .env.example .env
pnpm devcd app
pnpm startpnpm testπ² Download APK from the latest Release
- No backend trust assumptions
- Encryption enforced at architecture level
- Most systems trade usability for security
- Locker achieves both
- Calculator disguise reduces discovery risk
- Not just encryption β operational security
- Sync is a feature, not a dependency
- Deterministic sync
- Idempotent operations
- Key lifecycle management
MIT License β feel free to use and adapt.