Store secrets we can never read.
Orbsen Keep encrypts your secrets inside your own browser. Only the ciphertext ever reaches us — the key stays with you and touches our servers never. Not a promise. A property of the architecture.
K = aes-256-gcm key → stays with you
// only this leaves the browser
POST /api/blob
{ iv: "7Qm…",
ciphertext: "a1F9…" }
[STORE] stored ciphertext
[STORE] key = unknown
[STORE] plaintext = unknown
Secret storage that can’t betray you
Most vaults ask you to trust that they’ll behave. Orbsen Keep is built so that even we couldn’t read your secrets if we tried.
Encrypted before it leaves
A fresh AES-256-GCM key is generated in your browser and used to encrypt the secret locally. We receive the ciphertext and nothing else.
Your key, your custody
The key K is shown to you and sent nowhere. Without it, the blobs on our disk are meaningless bytes.
Zero-knowledge at rest & in transit
Ciphertext on disk, ciphertext on the wire. When you recover a secret it’s decrypted in your browser and used directly — the store is never in that hop.
Inspectable, not trust-me
Log every byte we ever receive and you still can’t rebuild the secret. The guarantee is checkable, not a policy line.
Three steps, one place the key never goes
Encrypt in your browser
Your browser generates a one-off key K, encrypts the secret S, and posts only { iv, ciphertext } to the store.
Keep the key
We hand you K and a blob id. We store the ciphertext against that id — and never learn the key.
Recover & use
Fetch the ciphertext, decrypt it locally with K, and send the plaintext straight where it’s needed. The store isn’t in that path.
Try to read your own secret from our side
Take everything Orbsen ever has — the blobs on disk and every line of every byte that hit the store — and try to reconstruct the secret. You can’t. There’s no key, only AES-GCM ciphertext.
- The disk holds ciphertext blobs only.
- The store logs show ciphertext arriving — never the key.
- Plaintext only ever exists in your browser and its destination.
Honest about the edge. The one residual risk is whoever ships the page’s JavaScript could ship a version that leaks the key. That’s unfixable by architecture alone — only by open source and pinned versions.
So we say it out loud, and we hold ourselves to it. Zero-knowledge at rest and in transit: proven.
Put a secret where even we can’t see it
Encrypt in the browser, keep your key, recover when you need it. That’s the whole model.