FAQ

Frequently Asked Questions

Detailed answers about how Lock My Vault works, how your data is protected, and how to use every feature.

🔒 General
What is Lock My Vault?

Lock My Vault is a free, open-source password manager that runs entirely in your browser. It stores all your passwords in a single encrypted file — your .vault file — that lives on your device, not on any server.

There is no account, no cloud sync, no tracking, and no backend. The app is a single HTML file — you can open it in any modern browser and it works completely offline.

Is it really free?

Yes, completely free. There are no premium tiers, no subscriptions, no hidden costs, and no ads. Lock My Vault will always be free.

If you find it useful, you can support development by buying a coffee — but it is never required.

What happens if I lose my master password?
⚠ Your data is completely unrecoverable. There is no reset, no recovery email, no support ticket that can help. This is by design.

The master password is never stored anywhere — not on your device, not on any server. It only exists in your memory. This is what makes Lock My Vault truly private: no one can ever hand over your passwords because no one ever has them.

Recommendation: Write your master password on paper and store it somewhere physically secure, separate from your .vault file.

Is it safe to store my .vault file in the cloud?

Yes. The .vault file is fully encrypted — without your master password it is indistinguishable from random noise. Even if someone gains access to your Dropbox, Google Drive, or iCloud, they cannot read your passwords.

✓ Recommended backup strategy: keep one copy in cloud storage and one on a USB drive. Update both after adding new entries.
Can I use it offline?

Yes. Once the page loads in your browser, no internet connection is needed. All encryption, decryption, and 2FA code generation happens locally on your device.

You can install Lock My Vault as a Progressive Web App (PWA) for a native app experience:

  • Android (Chrome): tap the menu → Add to Home Screen
  • iPhone (Safari): tap Share → Add to Home Screen
  • Desktop (Chrome/Edge): click the install icon in the address bar
✓ Once installed, Lock My Vault works fully offline with its own home screen icon — no app store required.
🔐 Security & Encryption
How is my data encrypted?

Lock My Vault uses a multi-phase key derivation process followed by AES-256-GCM encryption:

  • Phase 1: PBKDF2-SHA256 with 310,000 iterations and a 128-bit random salt
  • Phase 2: A second PBKDF2-SHA512 pass with 100,000 iterations using a derived salt
  • Phase 3: XOR mixing of both results — simulates memory hardness
  • Encryption: AES-256-GCM with a fresh 96-bit random IV on every save

AES-256-GCM is an authenticated encryption mode — it not only encrypts your data but also detects any tampering. The entire vault is encrypted as a single blob — metadata, entry names, passwords, everything.

What is the vault integrity check?

Every time you save, Lock My Vault computes a SHA-256 hash of your vault contents and stores it inside the encrypted payload. When you open the vault, it recomputes the hash and compares.

If the hashes don't match, a warning banner appears: the file may have been modified outside the app. This could indicate tampering or file corruption.

Old vaults migrated from a previous version will not have an integrity hash yet. The check is skipped for these — it will be added automatically on your next save.
Does Lock My Vault ever send data over the network?

Never. The app uses a strict Content Security Policy header:

connect-src 'none'

This blocks all outbound network requests at the browser level. Even if malicious code were somehow injected into the page, it physically cannot send your data anywhere. Not to a server, not to an analytics service, not anywhere.

How strong should my master password be?

The encryption is mathematically sound — the only realistic attack is guessing your master password. A strong password is the single most important factor in protecting your vault.

  • Use at least 12 characters — 16 or more is better
  • Mix uppercase, lowercase, numbers, and symbols
  • Avoid dictionary words, names, or dates
  • A passphrase of 4–5 random words is excellent: correct-horse-battery-staple
🎭 Decoy Vault
What is a decoy vault?

A decoy vault is a second, separate vault hidden inside the same .vault file. It opens when someone enters a different password — showing fake or harmless entries instead of your real passwords.

This protects you in situations where someone forces you to unlock your vault — you give them the decoy password, they see a realistic but harmless vault, your real data stays protected.

Both passwords produce valid, real decryptions. There is no way to tell from outside the file which password opens the real vault.
How do I set up a decoy vault?
  • Open your vault and unlock it with your master password
  • In the sidebar footer, click ⚠ Decoy Vault
  • Set a decoy password — it must be different from your master password
  • Click Create Decoy Vault
  • Save your vault file — the decoy is only embedded when you save
  • Open the decoy vault (use the decoy password) and add a few realistic fake entries for credibility
Can I replace or remove my decoy vault?

Yes. Open the Decoy Vault panel from the sidebar. If a decoy already exists, you will see options to either remove it or replace it with a new one.

⚠ Replacing a decoy invalidates the old decoy password permanently. Anyone who knew the old decoy password will get a decryption error after you save.
🔑 2FA / TOTP Codes
How does 2FA storage work?

When you enable 2FA on a website, they show you a QR code and usually also a text-based secret key (a Base32 string like JBSWY3DPEHPK3PXP). This secret, combined with the current time, generates the 6-digit codes.

Lock My Vault stores this secret key encrypted in your vault. When you click the 🔑 button on an entry, it generates the live code locally using pure JavaScript — no network request is ever made.

✓ Compatible with Google Authenticator, Authy, Microsoft Authenticator, and any RFC 6238 compliant app.
Where do I find my 2FA secret key?

When setting up 2FA on a website, look for one of these options:

  • "Can't scan the QR code?" — this reveals the secret key as text
  • "Enter key manually" or "Manual entry"
  • "Setup key" or "Secret key"

The key will be a string of letters and numbers, usually 16–32 characters long. It may have spaces for readability — Lock My Vault will strip them automatically.

⚠ Save this secret key during setup — most websites only show it once. If you lose it, you will need to disable and re-enable 2FA on that account.
What if my 2FA code is rejected?

TOTP codes are time-based — they depend on your device clock being accurate. If your code is rejected:

  • Check the countdown timer — if it shows 1-2 seconds remaining, wait for the next code
  • Make sure your device clock is set to automatic / synced with time servers
  • Verify the secret key is correct — even one wrong character produces wrong codes
📝 Secure Notes
What can I store in secure notes?

Secure notes are for sensitive text that doesn't fit a password entry — anything you want encrypted but isn't a username/password pair:

  • Windows / BitLocker recovery keys
  • SSH private keys
  • Software serial numbers and license keys
  • API tokens and secrets
  • Seed phrases and crypto wallet backups
  • Security question answers
  • Any sensitive multi-line text
Are secure notes encrypted?

Yes. Secure notes are stored inside the same .vault file as your passwords, encrypted with the same master password and AES-256-GCM algorithm. There is no difference in security between a password entry and a secure note.

📁 Files & Versioning
How does file versioning work?

Every time you click Save, a new file is downloaded with an incremented version number:

vault_v1.vault → vault_v2.vault → vault_v3.vault

The version number is stored inside the encrypted vault — so it survives file renames. Even if you rename vault_v3.vault to mypasswords.vault, the app still knows it is version 3 and will save the next version as mypasswords_v4.vault.

Which .vault file should I keep?

Always keep the highest version number — that is your most recent vault. Older versions can be deleted once you confirm the latest one opens correctly.

✓ Tip: rename the file to something memorable like personal_vault_v12.vault and keep older versions as backups for at least a few days.
Can I export my passwords?

Yes. Open your vault, go to the sidebar and click ⬇ Export Passwords. You can choose between two formats:

  • CSV — compatible with Google Passwords, Bitwarden, and 1Password import. Includes name, URL, username, password, 2FA secret, notes, and category.
  • Plain Text — human readable, numbered entries with labels. Good for printing and physical storage.
⚠ Exported files are unencrypted — they contain your passwords in plain text. Store them securely, delete them when done, and never share them.
Where should I store my .vault file to keep it safe?

Your .vault file is AES-256-GCM encrypted — without your master password it is indistinguishable from random data. You can store it anywhere safely.

Recommended backup strategy (3-2-1 rule):

  • Primary — your computer
  • Local backup — USB drive or external hard drive
  • Offsite — cloud storage like Proton Drive, Google Drive, or iCloud
✓ Cloud storage is completely safe for your .vault file — the encryption protects it everywhere.

Still have questions?

The app is open source — you can read every line of code and see exactly how it works. No secrets, no black boxes.

🔒 Open App — It's Free