Zero-KnowledgeEncrypted Messaging

Privacy is not a feature. It's a right.

VAULTEX is an open-source, end-to-end encrypted messenger built on the Signal protocol with a zero-knowledge server. Your messages, your keys, your privacy — no compromises.

Download NowLearn More

Everything You Need

A comprehensive feature set built from the ground up for privacy, security, and seamless communication — without compromise.

End-to-End Encryption

X3DH key agreement and Double Ratchet protocol provide forward secrecy and post-compromise security on every message.

Sealed Sender

Cryptographic construction hides sender identity from the server, preventing social graph analysis even by a compromised relay.

Zero-Knowledge Server

The server stores only encrypted blobs. It cannot read messages, identify senders, access keys, or reconstruct contact lists.

Forward Secrecy

Per-message key ratcheting ensures that compromise of current keys cannot decrypt past messages. Every message gets a unique key.

Group Messaging

End-to-end encrypted group conversations with member management, sealed sender, and the same zero-knowledge guarantees.

Encrypted Media

Photos, files, and documents encrypted with per-file XChaCha20-Poly1305 keys. The server never sees your content.

Duress PIN

A secondary PIN that silently wipes all data while appearing to unlock normally. Protection under coercion.

Tor Transport

Route messages through the Tor network for IP-level anonymity. Support for .onion hidden service addresses.

Off-Grid Messaging

Send encrypted messages without internet via LocalNet, Bluetooth, WiFi Direct, or mesh relay. Direct device-to-device.

Encrypted Search

Full-text search powered by FTS5 on your local encrypted database. Search stays on your device — zero knowledge preserved.

Voice & Video Calls

E2E encrypted call signaling with WebRTC. SDP and ICE candidates encrypted end-to-end. The server relays without inspection.

Sovereign Identity

No phone number or email required. Identity is purely cryptographic — you generate and control all keys on your own device.

How We Compare

See how VAULTEX stacks up against the most popular secure messaging apps across encryption, privacy, security features, and platform openness.

SupportedPartialNot supported

Encryption & Privacy

End-to-end encryption (default)All messages encrypted by default, not opt-in
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
Forward secrecyCompromise of current keys cannot decrypt past messages
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
Post-compromise securitySession automatically heals after a key compromise
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
Sealed senderServer cannot identify who sent a message
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
Zero-knowledge serverServer stores only encrypted blobs, cannot read anything
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
No phone number requiredRegister without providing a phone number or email
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
No metadata collectionNo contact lists, IP addresses, or usage patterns stored
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS

Security Features

Memory-hard KDF (Argon2id)Brute-force resistant key derivation for local storage
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
Key material zeroingCryptographic keys wiped from memory immediately after use
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
Encrypted local databaseAll local data encrypted at rest with SQLCipher or equivalent
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
Duress PIN / panic wipeSecondary PIN that silently wipes data under coercion
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
Constant-time comparisonsTiming-safe operations to prevent side-channel attacks
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
Safety number verificationOut-of-band key fingerprint verification between contacts
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS

Network & Transport

Tor transportRoute messages through Tor for IP-level anonymity
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
Off-grid / P2P messagingSend messages without internet via Bluetooth, WiFi Direct, or mesh
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
Mesh relayMulti-hop message forwarding through intermediate devices
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
Censorship resistantCan operate in censored network environments
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS

Platform & Openness

Fully open sourceClient and server code are open source and auditable
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
Self-hostable serverRun your own server infrastructure
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
Desktop native appNative desktop application, not just a phone mirror
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS
No corporate ownershipNot owned by a large tech company with ad/data incentives
VAULTEX
Signal
Briar
WhatsApp
Telegram
iMessage
SMS/RCS

Overall Score

VAULTEX
21/21
Signal
12.5/21
Briar
16.5/21
WhatsApp
5/21
Telegram
2.5/21
iMessage
2.5/21
SMS/RCS
0/21

Try VAULTEX

Experience the look and feel of VAULTEX right here. Chat with our demo assistant to explore E2E encryption indicators, sealed sender badges, read receipts, and more.

VAULTEX
V

Vault

Online|Sealed Sender
End-to-end encrypted | Double Ratchet + Sealed Sender

This is a simulated demo. No data is sent to any server.

Uncompromising Security

Every layer is designed with a zero-trust mindset. From key exchange to storage, nothing is left to chance.

Message Protocol Flow

Alice

Generates ephemeral keypair

X3DH

Triple Diffie-Hellman key agreement

Double Ratchet

Per-message key derivation

Encrypt

XChaCha20-Poly1305 AEAD

Seal

Hide sender identity

Server

Blind relay (sees nothing)

blind relay
Unseal

Recover sender identity

Decrypt

Verify and decrypt

Bob

Reads plaintext message

Cryptographic Primitives

XChaCha20-Poly1305

Authenticated encryption with 192-bit random nonces. Eliminates nonce-reuse risk inherent in AES-256-GCM's 96-bit nonce space.

Argon2id KDF

Memory-hard key derivation with 64 MiB memory cost, 3 iterations, 4 parallel lanes. Resistant to GPU and ASIC brute-force attacks.

Sealed Sender

Anonymous authenticated encryption hides sender identity inside the encrypted envelope. The server sees only the recipient.

Memory Zeroing

All key material is zeroed after use via the zeroize crate with compiler-resistant memzero. Private keys never linger in memory.

Constant-Time Comparison

PIN verification and signature checks use timing-safe comparison to prevent side-channel attacks.

SQLCipher Encryption

Local database encrypted at rest with Argon2id-derived keys. All messages, contacts, sessions, and keys protected on disk.

Threat Model

Level 1Passive Network Observer

ISP, WiFi operator, or surveillance system monitoring network traffic.

  • TLS 1.3 on all connections
  • Tor transport for IP anonymity
  • Sealed sender hides communication patterns
Level 2Active Network Attacker

Man-in-the-middle with ability to modify traffic.

  • Certificate pinning
  • Ed25519 request signing
  • Safety number verification
Level 3Compromised Server

Full control of the VAULTEX server infrastructure.

  • Zero-knowledge architecture
  • E2E encryption (server never sees plaintext)
  • Sealed sender (server can't identify sender)
Level 4Endpoint Compromise

Attacker gains temporary access to the user's device.

  • PIN and duress PIN protection
  • Auto-lock with inactivity timeout
  • Forward secrecy limits exposure window
  • Post-compromise security heals automatically

Built for Security

A layered architecture where every component is designed with defense-in-depth. From storage to UI, security is not an afterthought.

Desktop App

Tauri 2.x shell with React 18 + TypeScript UI

Crypto Engine

libsodium: X3DH, Double Ratchet, XChaCha20-Poly1305, Sealed Sender

Transport

WebSocket real-time delivery, Tor onion routing, P2P mesh relay

Server

Axum REST API + WebSocket relay. Zero-knowledge blind relay.

Storage

PostgreSQL 16 (encrypted blobs only) + Redis 7 (delivery queue)

Technology Stack

R

Rust

Core engine and server

R

React 18

Component UI framework

T

TypeScript

Type-safe frontend

T

Tauri 2.x

Desktop shell and IPC

Na

libsodium

Cryptographic primitives

A

Axum

Async HTTP and WS server

P

PostgreSQL 16

Encrypted blob storage

R

Redis 7

Delivery queue and cache

T

Tailwind CSS

Utility-first styling

Z

Zustand

Lightweight state management

Get VAULTEX

Download the latest release and take back control of your communications.

v0.10.2

Linux

Debian / Ubuntu (.deb)

Windows

Installer (.exe)

Our Mission

“We believe privacy is a fundamental right, not a premium feature.

VAULTEX is built on the principle that no server should ever see your messages. The server stores only encrypted blobs and public keys — it cannot read, infer, or hand over your conversations to anyone.

Every line of code is open source and fully auditable. There are no proprietary black boxes, no hidden telemetry, and no third-party analytics. What you see is what runs.

Sovereign identity means your keys live on your device and nowhere else. There is no account recovery backdoor, no cloud key escrow, and no master decryption key. Your data is yours alone.

With hundreds of automated tests covering cryptographic correctness, protocol compliance, and integration behavior, VAULTEX is built to be verified — not just trusted.

262+
Rust Tests
79
Frontend Tests
12
Security Primitives
Zero
Knowledge