When you store sensitive access details in a digital vault - recovery phrases, account credentials, security answers - the security of that data is paramount. Encryption at rest means your data is encrypted the moment it is saved, and it remains encrypted until an authorized party explicitly requests access.
How Carryr encrypts your vault
Carryr uses AES-256-GCM encryption, the same standard used by governments and financial institutions for classified data. But encryption is only as strong as its key management.
- Each vault item gets its own encryption key derived from a master key using HKDF
- The derivation uses your unique user ID and item ID as context, so no two items share the same key
- AES-GCM provides both confidentiality (no one can read the data) and integrity (no one can tamper with it)
- Encryption and decryption happen server-side using WebCrypto, never in the browser
What this means in practice
Even if someone gained access to the database directly, they would see only encrypted blobs. Without the master encryption key (which is stored separately as a secret, not in the database) the data is computationally impossible to decrypt.
Carryr staff cannot see your encrypted vault details during normal operations. Access requires an explicit break-glass procedure with documented justification and a permanent audit trail.
The audit trail
Every time encrypted data is accessed - by you, by your executor, or by Carryr staff under the break-glass procedure - the action is logged to an immutable audit trail. This includes who accessed it, when, from what context, and the stated reason. This creates accountability and transparency throughout the entire lifecycle of your digital estate.
Security is not a feature. It is the foundation that everything else is built on.