Security & Privacy

We literally can’t read your cookies.

CookieVault uses zero-knowledge, end-to-end encryption. Your encryption key is derived from your password on your device, and never sent to our servers.

How sync stays private

Everything sensitive happens on your device. We only ever store ciphertext.

1 ON YOUR DEVICE

Derive the key

Your password runs through PBKDF2 to produce an encryption key. The key is created locally and never transmitted.

password → PBKDF2 → key
2 ON YOUR DEVICE

Encrypt the cookies

Your cookie vault is encrypted with AES-256-GCM using that key — before anything leaves the browser.

cookies → AES-256-GCM → blob
3 ON OUR SERVERS

Store only ciphertext

We receive and store an opaque encrypted blob. We have no key, so we can never decrypt it.

⬡ blob stored · 🔒 unreadable

What we guarantee

End-to-end encryption

AES-256-GCM, applied on your device before anything is uploaded.

Zero-knowledge

Keys are derived from your password and never leave your device.

No analytics, no trackers

No telemetry on by default, no third-party scripts, no ad SDKs.

Open source & auditable

MIT-licensed. Read every line — or build it yourself. View source →

Minimal permissions

Manifest V3 with tightly scoped permissions — detailed in full below.

We never sell your data

A public, binding promise. Read the No-Sale Promise →

Every permission, explained

We ask for the minimum we need to do the job — and nothing more. Here’s exactly what each one is for, and what it never does.

Permission
Why we need it
What it never does
cookies
Both
Read and write cookies so you can inspect, edit, and clean them.
Sends them anywhere — all processing is local.
host permissions
Both
Apply cookie operations to the sites you choose to act on.
Reads or modifies page content. No DOM access at all.
storage
Both
Save your profiles, rules, and preferences on your device.
Leaves your device unless you enable encrypted sync.
tabs
Guardian
Detect when the last tab for a site closes, to trigger cleanup.
Reads tab content, URLs of other tabs, or browsing history.
alarms
Guardian
Run the 30-second safety sweep on a reliable schedule.
Makes network requests or tracks any activity.

For the engineers

Read the full security model — threat model, key derivation parameters (PBKDF2 iterations, salt strategy), and the sync protocol. Then audit the source yourself.

Read the security model ↗ View source on GitHub ↗

Last updated: 2026-06-18 · Author: CookieVault Team