Create an Account
Creating a SyVault account establishes your cryptographic identity. Everything -- key derivation, vault generation, and initial encryption -- happens on your device before any data reaches our servers.
Step-by-Step
- Visit the signup page at vault.syvault.com/signup.
- Enter your email address. This is your login identifier and the destination for verification and account alerts.
- Choose a master password. Minimum 10 characters. See Master Password Best Practices for guidance.
- Confirm your master password by typing it a second time.
- Click Create Account.
What Happens Cryptographically
When you click Create Account, the following operations execute entirely in your browser:
-
Argon2id Key Derivation -- Your master password is fed into Argon2id with parameters
m=65536(64 MiB),t=3(3 iterations),p=4(4 parallel lanes), and a random 16-byte salt. This produces your Master Key (256 bits). Argon2id is chosen for its resistance to both GPU and side-channel attacks. -
Account Key Generation -- A random 256-bit Account Key is generated using
crypto.getRandomValues(). This key is encrypted (wrapped) with your Master Key using AES-256-GCM and a fresh 96-bit nonce. -
Key Pair Generation -- An ECDH P-256 key pair is generated. The private key is encrypted with your Account Key. The public key is stored in plaintext on the server and used for sharing and key exchange.
-
Default Vault Creation -- A random 256-bit Vault Key is generated for your default "Personal" vault. This vault key is encrypted with your Account Key.
-
Payload Transmission -- The following are sent to the server: your email, the Argon2id salt, the encrypted Account Key, the encrypted private key, the public key, and the encrypted Vault Key. Your master password and any plaintext keys never leave the browser.
Master Password
│
▼ Argon2id (64 MiB, 3 iter, 4 lanes)
Master Key
│
▼ AES-256-GCM wrap
Account Key (random)
│
├──▶ Vault Key (random) ──▶ encrypts records
└──▶ ECDH Private Key ──▶ used for sharing
Master Password Requirements
| Requirement | Details |
|---|---|
| Minimum length | 10 characters |
| Recommended | Passphrase of 5+ random words (e.g., correct-horse-battery-staple-bridge) |
| Forbidden | Passwords found in common breach dictionaries are rejected |
| Reuse | Must not match your email address |
SyVault enforces these requirements client-side and server-side. Weak passwords that meet the minimum length but appear in known breach databases will be rejected.
Email Verification
After signup, you will receive a verification email. Click the confirmation link within 24 hours. Until verified, your account is in a limited state: you can access your vault locally, but sync, sharing, and emergency access features are disabled.
If you do not receive the email, check your spam folder, then request a new link from Settings > Account > Resend Verification.
What the Server Stores
The server never sees your master password or any plaintext key material. It stores: your email, the Argon2id salt and parameters, wrapped (encrypted) keys, your ECDH public key, and encrypted vault data. A server compromise yields only ciphertext that is computationally infeasible to decrypt without your master password.