Skip to main content
Eternum is designed so the server cannot read vault contents.

What stays local

  • The plaintext master key
  • Plaintext vault item content
  • Plaintext trusted-contact shares during activation and release
  • Beneficiary-side reconstructed master key

What the server stores

  • Encrypted vault blobs and client-side encrypted item names (item types remain plaintext)
  • Encrypted data encryption keys
  • Encrypted or sealed recovery shares
  • Trusted contact and beneficiary records
  • Death verification pipeline state
  • Audit logs and billing records

Server compromise assumptions

If the server is compromised, an attacker may see encrypted blobs, metadata, user emails, pipeline state, and audit records. They should not be able to decrypt vault contents without enough recovery shares and the required client-side keys.
Zero-knowledge vault encryption does not hide all metadata. Item types, contact emails, beneficiary emails, timestamps, and billing records may be visible to the service. Item names are encrypted client-side and are not visible to the service.