Math, not policy.

Three things make this work.

Tier 1 — Vault encryption

Everything is encrypted at rest.

Every record in your vault — every field, every entry, every byte — is encrypted at rest with AES-256-GCM. The encryption key is 8 bytes, derived from a 32-byte master secret that was randomly generated when your vault was created. That master secret is never stored on disk. It exists only inside a WL3 file, wrapped with the output of your hardware key.

If someone steals the vault file — a stolen backup, a compromised host, a hostile sysadmin — they get ciphertext. Entry titles, usernames, passwords, cards, notes: all encrypted. The 8-byte key is strong enough that brute-forcing it is computationally impractical, and even then, the fields inside are encrypted again at higher tiers.

This is the baseline. Every password manager encrypts at rest. What matters is what happens above this line.

Tier 2 — Credential encryption

Your agents can read credentials. Nothing else.

Above the vault layer, every credential field — API keys, passwords, TOTP seeds, OAuth tokens, SSH keys — is encrypted individually with its own derived key. The encryption key is 16 bytes of full entropy. Computationally unbreakable.

Your AI agents receive this key so they can do their work. That's by design — an agent that deploys your code needs your SSH key. But the key comes with four layers of defense that control what happens with it:

Scoped tokens. Each agent gets a token that grants access to specific entries. Your deploy agent sees your SSH key and your AWS credentials. It does not see your Stripe key, your email password, or your colleague's entries. It cannot enumerate, browse, search, or discover credentials outside its scope. It gets what it has been named to and cannot find what it hasn't.

Distance. Your vault is not on your laptop. It runs on separate infrastructure your agent cannot touch. The agent interacts through a narrow API that serves or denies — there is no filesystem to read, no process memory to inspect, no local cache to raid. If the vault lived on the same machine as the agent, a compromised skill could pry into the system and extract what it wants. Distance removes that option entirely.

Rate limiting. An agent that accesses more than three unique credentials per minute, or ten per hour, is throttled. A second violation within two hours triggers a hard lockdown — the agent is frozen and requires your hardware key to unlock. A normal agent needs two or three credentials. An agent reading ten is either misconfigured or compromised. Either way, it stops.

IP whitelisting. Every agent token is bound to a source IP at first contact. A stolen token used from a different IP is refused at the middleware layer before any handler runs. The attacker has the key but can't use it from anywhere except the machine it was issued to.

The result: a compromised agent's blast radius is bounded to its scope, from its IP, at a rate that triggers lockdown before meaningful exfiltration can occur. Your other agents, your other credentials, and your identity fields are untouched.

Tier 3 — Identity encryption

Your most sensitive data is encrypted with your device. We cannot read it.

Credit cards, CVV, passport numbers, SSN, recovery codes, private notes, signing keys — these are Identity fields. They are encrypted with a 32-byte key that was randomly generated when your vault was created. You don't know this key. We don't have it. It has never existed on any server.

The key lives inside a WL3 file, wrapped with the 32-byte output of your hardware key's PRF extension (WebAuthn PRF). To unwrap it, you need the physical device — your fingerprint reader, your face sensor, or your YubiKey. The unwrapping happens in your browser. The plaintext key exists in browser memory for the duration of one operation, then it's gone.

No agent receives this key. No API endpoint serves it. No server-side process can derive it. Identity fields are ciphertext on every server, in every backup, in every replication target, at every point in time. A breach of our infrastructure — total, complete, every byte exfiltrated — yields ciphertext for every Identity field across every vault. The decryption key is not in the exfiltrated data. It cannot be, because it was never there.

We cannot decrypt your Identity fields. We cannot be compelled to produce a key we do not have. This is not a policy promise. It is a mathematical property of the system.

Nobody but you has access

And there is no master password.

There's nothing to forget, nothing to phish, nothing to crack in a breach. Your device — fingerprint, face, or security key — is the only path in. Every connection is TLS 1.3 with modern ciphers and HSTS. Credentials are released to scoped agent tokens via narrow API endpoints, never logged. Even our AI support cannot see your credentials — the same encryption that hides your secrets from us hides them from our support tools too.

Threat model

What we defend against.

Every credential platform faces the same attack surface. Here's how Clavitor is designed against each.

Threat	How we defend	Outcome
Credential phishing	Users don't know their passwords (32-byte random, never displayed). The extension only fills on URL match. The user can't type what they don't know.	Structurally blocked
OTP / 2FA phishing	TOTP lives in the vault, scoped to the real domain. Wrong domain — no code. Same defense as the password.	Structurally blocked
Server breach	Identity fields are encrypted with hardware-derived keys we never hold. Credential fields auto-rotate — leaked plaintext expires within hours.	Damage bounded
Compromised AI agent	Each agent has a scoped token. Compromise exposes the agent's scope only — not your full vault.	Blast radius bounded
Endpoint malware	Vault is remote, not local. Session tokens are time-limited. WebAuthn challenges are origin-bound — malware can't sign for the user.	Mitigated
Insider attack	Identity fields are mathematically inaccessible to us. We could not produce plaintext under subpoena.	Out of our reach

Trust the platform, not just the cryptography.

Encryption is only one of three guarantees. The other two are about what happens when something fails — the service, or your own access to it.