Architecture White Paper
A privacy-first, local-first password vault designed to give users full ownership of their data.
1. Our Core Belief: You Own Your Data
Most password managers immediately push your data to their servers. Even when encrypted, this creates a centralized target. SentinelVault takes a different path. Your data lives on your device first - always. The cloud is optional, not mandatory.
This gives you control from day one. You decide if, when, and how your data leaves your device.
Guiding Principles
- Privacy by default: No cloud storage unless you enable it.
- Blind servers: Our systems help with syncing but never see your secrets.
- Identity separation: Who you are is never mixed with what you store.
2. The Identity Registry
SentinelVault recognizes users without touching their vaults using a lightweight Identity Registry. When you register, the backend combines your email with a secret server-side salt to generate a Vault ID.
This Vault ID represents your vault, not you. We store only your email address, the generated Vault ID, and a Master Key Proof (a one-way Argon2id hash used for authentication without storing your password).
3. The Private Vault: Where Secrets Live
Your passwords and sensitive data live inside a private vault built directly into your app.
Local-First Storage
An encrypted local database (PouchDB) is created on your device at signup. All data is encrypted using your master password before it touches the disk.
The Sync Choice
You control whether cloud backup is enabled:
- Sync OFF: Fully offline, no network dependency.
- Sync ON: Encrypted cloud vault mirrors local data via CouchDB replication.
4. Security by Design
SentinelVault is built so that even a full server breach would not expose user data. We rely on industry-standard mathematical proofs.
| Component | Technology | Responsibility |
|---|---|---|
| Key Derivation | Argon2id | Converts your password into a high-entropy 256-bit key. |
| Encryption | AES-256-GCM | Scrambles your secrets locally before storage. |
| Auth | Zero-Knowledge | Verifies identity without server ever seeing raw password. |
5. Architecture Diagram
6. Conclusion
SentinelVault is built on a simple idea: your data belongs to you, not the service storing it. By separating identity from secrets and encrypting everything locally, SentinelVault sets a new standard for privacy-first password management.