Security and privacy basics

Lastkey is designed to be zero-knowledge: your vault content is encrypted on your device before it is uploaded.

What Lastkey can't see

• Your vault master key (VMK)
• Your item contents (notes or files)
• The secret fragment key inside beneficiary invite links

What Lastkey stores

• Encrypted vault items (ciphertext)
• Encrypted Share B used for release
• Minimal metadata needed to keep the app usable

How keys are protected

Your vault master key is split into three shares (2-of-3 required):

• Share A stays on your device
• Share B is stored on the server (encrypted)
• Share C is delivered via the beneficiary invite flow

No single system can decrypt your vault by itself.

Invite links use URL fragments

Invite links include a fragment key after the # symbol. Browsers do not send fragments to the server, so the key stays in the user's browser and never hits backend logs.

Learn more

For deeper detail, visit the full Security overview.