> PREMIUM_FEATURE

VAULT

ChaCha20-Poly1305 Encrypted Storage

FaceID Protected • Device-Only • Zero Cloud Sync

SECURE ENCLAVE

BIOMETRIC AUTH

256-BIT ENCRYPTION

Keys

256-bit

Cloud

None

Storage

Device

Get NuDefndr

PRO FEATURE • IN-APP PURCHASE

> ENCRYPTION_PIPELINE

How Vault Works

┌────────────────────────────────────────────────────────────┐ │ VAULT ENCRYPTION FLOW │ └────────────────────────────────────────────────────────────┘ SENSITIVE PHOTO │ ├─> [User: Move/Copy to Vault] │ ▼ BIOMETRIC AUTH │ ├─> FaceID / Touch ID / Passcode │ ▼ RETRIEVE KEY │ ├─> iOS Keychain (Secure Enclave) │ └─ Device-bound 256-bit key │ ▼ CHACHA20-POLY1305 │ ├─> AEAD Cipher │ ├─ Confidentiality │ ├─ Authenticity │ └─ Integrity │ ▼ ENCRYPTED FILE (.n11) │ ├─> App Sandbox │ ├─ .completeFileProtection │ └─ Excluded from backups │ ▼ ORIGINAL DELETED (optional)

> SOURCE_CODE

Encryption Implementation

> /Vault/VaultCrypto.swift ChaCha20-Poly1305 AEAD 
import CryptoKit

final class VaultCrypto {
    
    static func encryptData(_ data: Data, key: SymmetricKey) throws -> Data {
        let sealedBox = try ChaChaPoly.seal(data, using: key)
        return sealedBox.combined
    }
    
    static func decryptData(_ encryptedData: Data, key: SymmetricKey) throws -> Data {
        let sealedBox = try ChaChaPoly.SealedBox(combined: encryptedData)
        let decryptedData = try ChaChaPoly.open(sealedBox, using: key)
        return decryptedData
    }
    
    static func generateVaultKey() throws -> SymmetricKey {
        let key = SymmetricKey(size: .bits256)
        
        let keyData = key.withUnsafeBytes { Data($0) }
        let entropy = calculateEntropy(keyData)
        
        guard entropy >= 7.5 else {
            throw CryptoError.insufficientEntropy
        }
        
        return key
    }
}

AEAD Cipher

ChaCha20-Poly1305 provides authenticated encryption. Same standard used in WireGuard, TLS 1.3, and Signal Protocol.

Biometric Lock

Vault requires FaceID/Touch ID every time you open it. Even with unlocked phone, vault stays locked.

> SECURITY_MODEL

What Vault Protects Against

PROTECTED

  • Device seizure (encrypted at rest)
  • Unauthorized physical access
  • Cloud breaches (no cloud storage)
  • Backup extraction (keys device-bound)
  • Network interception (no uploads)

OUT OF SCOPE

  • × Forced biometric unlock (physical coercion)
  • × Jailbroken devices (iOS security compromised)
  • × OS zero-day exploits (affects all apps)
  • × Device loss (keys cannot be recovered)

CRITICAL: Device-Locked Security

Vault data cannot be recovered if you lose your device, switch phones, or reinstall NuDefndr. This is intentional—it's the only way to guarantee true security.

Encryption keys are hardware-bound to your device's Secure Enclave. Without the physical device, vault contents are permanently inaccessible—even to us.

> LEARN_MORE

Want to see the full architecture?

View Technical Specs