Pro users can now enable Vault, a zero-knowledge encrypted layer inside their Solid pod. Your files are encrypted in the browser before they ever leave your device. We cannot read them. No one can, except you.
Most cloud storage services claim to protect your data with encryption. What they usually mean is that your data is encrypted at rest on their servers, and they hold the keys. That is not end-to-end encryption. It means they can read your files whenever they choose, and so can anyone who gets access to their infrastructure.
Vault is different. Encryption and decryption happen entirely in your browser, using the Web Crypto API. Your passphrase never leaves your device. The server never sees your keys. We host the encrypted blobs, but we have no way to read what is inside them.
How it works
When you set up Vault on your Account page, a random 256-bit vault key is generated in your browser. That key is wrapped with your passphrase using AES-KW after deriving a wrapping key via PBKDF2 at 600,000 iterations. The wrapped keystore is saved to your pod at /vault/.keystore. You own it. It lives in your pod, not in a separate database we control.
Each file is encrypted with AES-256-GCM with a unique 12-byte random nonce. Per-app encryption keys are derived from your vault key using HKDF, so every app that integrates with Vault gets its own isolated key. You use one passphrase for all your apps, but no two apps can decrypt each other’s data, even if one were compromised.
A one-time recovery code is generated at setup and displayed once. If you forget your passphrase, you can use the recovery code on your Account page to re-wrap the vault key with a new passphrase. Your files are never at risk from a forgotten passphrase as long as you have the recovery code.
What gets encrypted
Any app that uses the Vault SDK stores its files in your vault automatically. File contents are encrypted. Filenames are stored only in an encrypted manifest inside the vault. From the outside, vault storage looks like a directory of opaque blobs with UUID names.
Apps that do not use the Vault SDK continue to work exactly as before, storing data as regular Solid pod resources. Vault is additive, not a replacement for the underlying pod.
Free plan users
Vault setup requires a Pro plan, because the provisioning and passphrase setup UI lives in your account dashboard. However, apps built with the Vault SDK work in plaintext mode for Free plan users. The API is identical either way. Developers write one code path; the SDK switches between encrypted and plaintext automatically based on whether a vault keystore exists in the pod.
For developers
The @privatedatapod/vault-sdk npm package is open source and available today. It works with any Solid pod server. Full documentation is at the Developer Center, including a full API reference, React integration pattern, and an AI agent prompt you can paste into Copilot or Cursor to get started immediately.
Getting started
If you are on a Pro plan, open your Account page and look for the Vault section. Setup takes about 30 seconds. After that, any Vault-enabled app will prompt for your passphrase the first time you use it per session and store your data encrypted from that point on.
If you are on the Free plan, upgrading to Pro adds Vault alongside the larger storage quota and daily backups.