Cloak Documentation
The password manager that can't betray you.
Protected by math, not promises.
Cloak is a password manager that encrypts your data on your device before it goes anywhere. Unlike traditional password managers that store your vault on a company's servers and promise not to look, Cloak uses a network of independent computers to create your encryption key on demand. No single computer — and no single person — ever holds the complete key. It exists only for the moment you need it, then it's gone.
Your logins, credit cards, secure notes, and images are protected by the same grade of encryption used to secure classified information. The difference is that with Cloak, the math is verifiable. The code is open source. There is nothing to trust because there is nothing hidden.
How It Works
Here's what happens when you use Cloak, in plain language:
- Your passwords are encrypted on your device before they leave it.
- The encryption key is created on demand by a network of independent computers.
- No single computer ever holds your complete key.
- The key exists only for the moment you need it, then it's gone.
- Even the developers cannot access your vault.
Your data is ciphertext the moment it leaves your browser. The backend is a storage locker that holds boxes it cannot open.
Technical Details — vetKeys Architecture
Cloak uses vetKeys (verifiable encrypted threshold key derivation) for on-chain key management. No master password. No stored keys.
The 7-step flow
- You authenticate with a passkey (fingerprint, face, or device PIN) via Internet Identity.
- The frontend generates an ephemeral transport key pair.
- The backend requests a derived key from the network's threshold infrastructure via
vetkd_derive_key. - The subnet nodes collaboratively derive the key. No single node ever holds the complete key.
- The key is delivered encrypted under your transport public key. Only your browser can decrypt it.
- Your browser derives an AES-256-GCM symmetric key from the vetKey material.
- All encryption and decryption happens locally. The backend only ever stores ciphertext.
The same (canister_id, context, caller_principal) always produces the same derived key. Your key is deterministic but never stored. It is reconstructed on demand each session.
Technical Details — Internet Identity Auth Flow
- User clicks "Authenticate with Passkey".
- Frontend opens Internet Identity popup at
identity.ic0.app. - User authenticates with their passkey (biometric or PIN).
- Internet Identity returns a signed delegation to the frontend.
- Frontend creates an
HttpAgentwith the delegation identity. - The agent signs all canister calls with the user's session principal.
- Session expires after 24 hours (
maxTimeToLive). - 15-minute idle timeout clears the AES key from memory and forces re-authentication.
Each user gets a unique principal per application (principal-per-app isolation). The backend rejects the anonymous principal on all authenticated endpoints.
Architecture Diagram
Features
P to mask all sensitive data on screen. Instant toggle.Security
Cloak's security is a set of technical constraints, not policies. Here is what is enforced:
| Measure | Detail |
|---|---|
| ✓ AES-256-GCM encryption | All data encrypted client-side before transmission |
| ✓ vetKeys threshold key derivation | Production key_1 — no single node holds the complete key |
| ✓ Rate limiting | 30 writes/minute per principal |
| ✓ Entry limits | 500 entries and 50 shares per user |
| ✓ 24-hour session TTL | Sessions expire after 24 hours regardless of activity |
| ✓ 15-minute idle timeout | Clears AES key from memory, forces re-authentication |
| ✓ No external dependencies | Zero runtime CDN loads — all scripts, fonts, and dependencies bundled locally |
| ✓ Strict CSP | script-src 'self' — no external scripts permitted |
| ✓ 90-day freezing threshold | Both canisters freeze after 90 days without top-up (tamper protection) |
| ✓ Idempotency protection | Dedup keys on writes prevent duplicate entries from retries |
| ✓ Audit: 0 critical, 0 high | All 11 ICP security best-practices skills passed |
Changelog
Added
- Export all vault entries as a CSV file from Settings
- Exported file includes all entry types (logins, cards, notes)
- File is decrypted and generated entirely in your browser
- Warning displayed about plaintext passwords in the export
Added
- Documentation site accessible at /docs/ within the app
- Book icon in footer linking to documentation
- Official Cloak logo (hooded lock) on login screen, app header, and privacy lock screen
- Social links in footer: X, GitHub, Medium
- Password generator available as a standalone view in the sidebar
- Password generator appears inline below the password field when adding or editing entries
- 5-level password strength indicator: Weak, Fair, Good, Strong, CLOAK
- Password auto-generates when opening the generator (no extra click needed)
- Changing length, characters, or mode instantly regenerates the password
- GitHub source link and "What's New" link in Settings
- Version number displayed in Settings
Changed
- Sign in now uses id.ai (new Internet Identity URL)
- Settings and Generator views use the full screen width
- Privacy lock screen shows the Cloak logo instead of a generic lock icon
- Modal popups scroll content while keeping corner frames and buttons fixed at the edges
Fixed
- Settings page showing a vault entry instead of settings content
- "New Item" button causing an error after recent updates
- Password generator not producing a result until a second click
Added
- PWA support: install Cloak as an app on desktop and mobile
- Download icon in footer with install prompt
- Maintenance mode for safe updates
- Duplicate entry prevention on network retries
Changed
- All code libraries bundled locally (no external CDN loading)
- Fonts self-hosted (no requests to Google)
- Rotating taglines shortened to fit all screen sizes
- Improved layout on small desktop and tablet screens
- Hex data panel fills the full header area
Fixed
- Layout breaking between 769px and 1023px screen widths
- Text overflowing in the rotating tagline area
Security
- 90-day freezing threshold on both canisters
- Tightened content security policy
- Completed security audit (0 critical, 0 high findings)
Added
- Initial release
- Sign in with passkey (fingerprint, face, or PIN)
- Encrypted storage for logins, credit cards, secure notes, and images
- TOTP authenticator with QR code scanning
- Secure sharing with time-limited links and optional self-destruct
- Import from 1Password, Bitwarden, Chrome, or any CSV
- Chrome extension
- Privacy mode (press P to hide all data)
- Available in English, German, French, and Italian
- 15-minute auto-lock after inactivity
- Custom domain: cloakencrypt.com
Brand Guidelines
Mark
Colors
Typography
Taglines
- Primary: "The password manager that can't betray you."
- Secondary: "Protected by math, not promises."
Links
Frequently Asked Questions
Who is behind Cloak?
We believe privacy tools should be judged by their code, not their founders' LinkedIn profiles. Cloak is open source. The code speaks for itself.
What happens if I lose my passkey?
Your vault is gone. This is by design. There is no master password, no email recovery, no backdoor. If we could recover your data, so could someone else.
Can you see my passwords?
No. This is a technical fact, not a policy. Your data is encrypted on your device with a key that only exists in your browser session. The backend stores ciphertext only.
Is Cloak free?
Yes. Cloak is free and open source under the MIT license.
What is the Internet Computer?
A tamper-proof network of independent computers that runs Cloak's backend. Think of it as infrastructure that nobody owns and everybody can verify.
How is this different from 1Password or Bitwarden?
With those services, your encrypted vault sits on a company's servers. The company promises not to access it. With Cloak, your encryption key is assembled on your device from fragments held by independent computers. No single entity ever holds a complete key. This isn't a promise. It's math.