> ## Documentation Index
> Fetch the complete documentation index at: https://docs.krypthq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Encryption and security

> How Krypt protects your secrets

This page summarizes how Krypt encrypts and stores your secrets. For full details on our security practices, infrastructure, and vulnerability disclosure, see [krypthq.com/security](https://krypthq.com/security).

## Encryption at rest

All secrets are encrypted with **AES-256-CBC** before being stored. Each secret value gets a fresh 16-byte initialization vector (IV). Stored format:

```text theme={null}
iv:ciphertext (hex-encoded)
```

The encryption key never leaves the server and is held in process memory only — it is not persisted to disk or environment variables on the server.

## Encryption in transit

All communication between the CLI, browser, and Krypt API uses **TLS 1.3**. HSTS is enforced on all endpoints, preventing downgrade attacks.

## API key security

API keys are **SHA-256 hashed** before being stored in the database. The plaintext key is shown only once at creation and is never persisted server-side. If you lose a key, generate a new one — there is no way to recover the original.

## CLI config security

The CLI stores your API key locally at `~/.krypt/config.json` with **0600 permissions** (owner read/write only). Other users on the same system cannot read your credentials.

## Sub-processors

Krypt uses the following third-party services to operate:

| Service  | Purpose             | Region                   |
| -------- | ------------------- | ------------------------ |
| Clerk    | Authentication      | US                       |
| Supabase | Database            | eu-west-1 (Ireland)      |
| Stripe   | Payments            | TBD (not yet configured) |
| Resend   | Transactional email | eu-west-1                |
| Railway  | Backend hosting     | europe-west4 (Amsterdam) |
| Vercel   | Frontend hosting    | Global edge network      |
| Sentry   | Error tracking      | EU (Frankfurt)           |

For full sub-processor agreements and EU-US data transfer details, see [our security page](https://krypthq.com/security).

<Note>
  Clerk processes authentication data in the United States under the EU-US Data Privacy Framework adequacy decision (July 2023). All other sub-processors operate within the EU or on global edge networks.
</Note>

## More information

For our full security whitepaper, responsible disclosure policy, and SOC 2 status, visit [krypthq.com/security](https://krypthq.com/security).
