Key Man Out

Zero-Knowledge Encryption

Your secrets stay secret—even from us. Learn how Key Man Out's client-side encryption and zero-knowledge architecture provides military-grade security with complete privacy.

Zero-Knowledge Encryption

Your Secrets Stay Secret—Even From Us

In an era of data breaches and privacy violations, the most secure system is one where the service provider can't access your data even if they wanted to. That's zero-knowledge encryption—and it's how Key Man Out protects your most sensitive assets.

How It Works

Client-Side Encryption for Secrets

Your sensitive data (secrets and file attachments) is encrypted on your device—before it ever leaves your computer—using your team's unique vault key phrase. The server never sees your unencrypted secrets, and we never will.

The Key Man Out Promise: We couldn't read your secrets even if compelled by a court order. They simply don't exist in readable form on our servers.

What's Encrypted: Asset secrets (passwords, API keys, confidential text) and file attachments are encrypted with your vault key phrase.

What's Not Encrypted: Asset metadata (titles, instructions, website URLs, guardian assignments) is stored unencrypted to enable browsing and organization without unsealing the vault.

Your Vault Key Phrase, Your Control

When you create a team, you establish a shared vault key phrase known only to your team members. This key phrase:

  • Never transmitted to our servers - Only a cryptographic hash is stored for verification
  • Never stored anywhere - Exists only in your team members' knowledge and browser sessions
  • Required for every access - Unseals your vault for 30 minutes of secure access
  • Your responsibility - If lost, your data cannot be recovered (by you or us)

This is the foundation of zero-knowledge: we can verify you have the right key without ever knowing what that key is.

Military-Grade Encryption Standard

Key Man Out uses AES-256-GCM encryption for secrets—the same standard used by governments and militaries worldwide to protect classified information.

  • AES-256: Advanced Encryption Standard with 256-bit keys
  • GCM Mode: Galois/Counter Mode provides both encryption and authentication
  • Industry Standard: NIST-approved, FIPS 140-2 compliant
  • Proven Security: Would take billions of years to crack with current technology
  • Applied to: Asset secrets (sensitive text) and file attachments only

The Sealed/Unsealed Vault Model

Left: Sealed vault with encrypted assets. Right: Unsealed vault after entering key phrase

Your team's vault operates in two states:

Sealed (Default State)

  • Asset secrets are encrypted and inaccessible
  • No one can view secrets or download encrypted file attachments
  • Asset metadata (titles, instructions, website URLs) remains visible for organization and browsing
  • Maximum security for sensitive content at rest

Unsealed (Temporary Access)

  • Enter your vault key phrase to decrypt secrets for 30 minutes
  • Access all secrets, download encrypted files, view credentials
  • Automatic re-sealing after timeout for security
  • Activity logged for audit trail

This model ensures secrets are exposed only when actively needed—minimizing the window of vulnerability while allowing convenient organization of assets.

Why Zero-Knowledge Matters

Protection Against Data Breaches

Traditional Systems: Hackers who breach the server gain access to all user data.

Key Man Out: Hackers who breach our server gain access to encrypted secrets that are mathematically useless without your vault key phrase. They would see asset metadata (titles, instructions) but your actual secrets remain protected.

Privacy from Service Providers

Traditional Systems: Companies can read your data, whether for "quality assurance," advertising, or responding to government requests.

Key Man Out: We can't read your secrets. We can't share what we can't see. Your secret content is protected by mathematics, not just policy. While we can see asset metadata for service functionality, your sensitive information remains encrypted and private.

Regulatory Compliance Simplified

Zero-knowledge encryption means:

  • GDPR Friendly: We can't process what we can't read
  • HIPAA Compatible: PHI remains encrypted end-to-end
  • SOC 2 Ready: Data breach impact minimized by design
  • Attorney-Client Privilege: Confidentiality maintained at the technical level

Competitive Advantages

vs. Traditional Password Managers

LastPass, 1Password, Dashlane: These encrypt locally but decrypt server-side for sync/sharing. The provider can technically access your vault.

Key Man Out: True zero-knowledge for secrets—we never have the ability to decrypt your sensitive content. Period.

vs. File Storage Services

Dropbox, Google Drive, OneDrive: Files are encrypted in transit and at rest, but the provider holds the keys. They can (and do) scan your files.

Key Man Out: You hold the only keys to your secrets and file attachments. We see only encrypted blobs for sensitive content.

vs. Enterprise Secrets Managers

HashiCorp Vault, AWS Secrets Manager: Powerful but complex. Require dedicated infrastructure and expertise. Still require trust in the provider.

Key Man Out: Enterprise-grade security with SaaS simplicity. Zero-knowledge means zero trust required.

The Trade-Off: Your Responsibility

Zero-knowledge encryption provides unparalleled security—but with an important caveat:

If you lose your key phrase, your data is gone forever.

We can't reset it. We can't recover it. We can't decrypt your data. This is by design—it's what makes the system secure.

Best Practices:

  • Store your key phrase in a secure location (safe deposit box, trusted password manager)
  • Ensure multiple team members know the key phrase
  • Consider having a backup key phrase in escrow (physically, not digitally)
  • Test unsealing regularly to ensure the key phrase works

Key Rotation

Why Rotate Keys?

Even with strong encryption, periodic key rotation is a security best practice:

  • Limit Exposure Window: If a key is ever compromised, rotation limits the damage
  • Compliance Requirements: Many security frameworks mandate regular key rotation
  • Personnel Changes: When team members leave, rotating the key ensures they lose access
  • Security Hygiene: Regular rotation is part of a defense-in-depth strategy

How Key Rotation Works

Key Man Out implements a secure, multi-party key rotation process:

  1. Initiation: Any team owner or admin can initiate a key rotation
  2. Approval: All team owners/admins must independently approve using the new key phrase
  3. Execution: Once approved, assets are re-encrypted with the new key
  4. Atomic Commit: All assets are updated atomically—either all succeed or none do

Multi-Party Verification

To prevent unauthorized key changes, Key Man Out requires independent verification:

  • Each approver must enter the new key phrase separately
  • The system verifies all approvers have entered the same key phrase (via hash comparison)
  • No single person can change the key unilaterally (for multi-admin teams)
  • Single-owner teams can rotate immediately without approval delays

Safety Features

  • 24-hour cooldown between rotations prevents abuse
  • 48-hour expiration for pending rotations ensures they don't linger indefinitely
  • 1-hour execution timeout auto-fails stale in-progress rotations
  • Retry capability allows recovery from transient failures
  • Cancellation available at any time before execution completes

During Key Rotation

While a key rotation is in progress:

  • Team members can still access assets (until the new key is applied)
  • A warning banner appears indicating a rotation is pending
  • New asset creation uses the current (old) key until rotation completes

Learn more about Key Rotation →

Technical Details

Encryption Workflow

  1. Secret Upload:
    • User enters secret content in browser
    • JavaScript client derives encryption key from vault key phrase using PBKDF2
    • Secret encrypted with AES-256-GCM in browser
    • Only encrypted ciphertext sent to server
    • Server stores encrypted blob without ever seeing plaintext
    • Asset metadata (title, instructions, website) is sent and stored unencrypted
  2. Secret Access:
    • User enters vault key phrase to unseal vault
    • Client derives same encryption key
    • Encrypted secrets downloaded from server
    • Decryption happens entirely in browser
    • Plaintext secrets never transmitted or stored server-side
  3. Key Phrase Verification:
    • Client hashes vault key phrase with bcrypt before transmission
    • Server compares hash to stored hash
    • Match = access granted, mismatch = denied
    • Server never sees or stores actual vault key phrase

Browser Security

  • Encryption keys stored only in sessionStorage (cleared on tab close)
  • 30-minute auto-seal timeout to limit exposure window
  • No persistent storage of keys or decrypted data
  • Memory cleared on seal/unseal operations

Real-World Scenario

Scenario: A disgruntled employee at Key Man Out wants to steal customer data or government agency issues a subpoena.

Traditional System Result:

  • Employee/agency gains access to decrypted user data
  • Customer secrets exposed
  • Business destroyed, trust violated

Key Man Out Result:

  • Employee/agency gains access to encrypted blobs
  • Without customer key phrases, data is useless
  • Customer secrets remain protected
  • Zero-knowledge architecture proves itself

Bottom Line: Your secrets are protected by mathematics, not just promises. Even we can't read them—and that's exactly the point.

Learn about our Guardian System →

Features Overview

Discover Key Man Out's comprehensive features for secure business continuity: zero-knowledge encryption, guardian system, intelligent access control, and complete audit trails.

Guardian System

Complete control over who can access what with custodians, gatekeepers, and successors. Learn how Key Man Out's three-tier role hierarchy provides security with business continuity.