Security & Privacy

Your data, encrypted before it leaves your device

DNFolder is built on a zero-knowledge architecture. Even we can't read your portfolio - and that's exactly the point.

AES-256

Military Grade

End-to-End

Encrypted

Zero-Knowledge

Architecture

Client-Side

Encryption

How We Protect You

Privacy by design, not by promise

Four pillars that keep your portfolio yours alone.

Zero-Knowledge Architecture

Your domains are encrypted in your browser before they ever reach our servers. No DNFolder employee - or anyone else - can read your portfolio. Firestore stores only opaque encrypted blobs.

Envelope Encryption

A random Data Encryption Key (DEK) is generated once at signup and never changes. Your password is only used to wrap that DEK - so changing your password never touches your vault data.

Recovery Key System

During signup, a one-time Recovery Key is shown to you. The same DEK is independently wrapped with a key derived from it - so you can restore vault access even after a password reset, without any help from us.

Encrypted Share Links

When you share a portfolio preview, the decryption key lives only in the URL after the # - the fragment. Browsers never send the fragment to the server, so our database only ever holds an encrypted blob. Only someone with your exact full link can read the data.

Under the Hood

Engineered for trust

The technical guarantees that make zero-knowledge possible.

Client-Side Crypto

Encryption and decryption happen entirely in your browser via the Web Crypto API. Plaintext never crosses the network.

Two-Layer Key Design

A password-derived Key Encryption Key (KEK) wraps the DEK. Only the wrapped DEK is stored - the DEK itself never leaves your browser session.

PBKDF2 · AES-256-GCM

310,000 PBKDF2 iterations (OWASP 2023 recommendation) with your unique account ID as salt, producing AES-256-GCM keys for both encryption and key wrapping.

Encrypted at Rest

Firestore stores only { iv, payload } blobs. Without the DEK - which only you hold - the data is indistinguishable from random bytes.

Keep your Recovery Key safe

Your Recovery Key is shown once at signup and never stored by DNFolder - only a SHA-256 hash of it is kept, alongside a copy of your DEK wrapped with a key derived from it. If you lose both your password and your Recovery Key, your vault cannot be recovered by anyone. Store it in a password manager or another trusted location.

Manage your portfolio with peace of mind

Join the investors who choose DNFolder for the privacy guarantees other tools can't match.

Start for Free

Ready to protect your portfolio? Get started today · Read about why encryption matters for domain investors.