Skip to Content
Security & EncryptionZero-Knowledge Architecture

Zero-Knowledge Architecture

localWiki follows a zero knowledge architecture. This is not a marketing claim — it is a structural property of the system. We have no technical ability to access your secrets or encryption keys.

What Zero-Knowledge Means

Zero-knowledge means the localWiki team:

  • Cannot read your secrets — Your vault credentials are encrypted with a key derived from your master password. We never receive this password.
  • Cannot reset your password directly — There is no server-side “forgot password” flow. The master password exists only in your memory.
  • Cannot access your data if compelled — Even with a court order, we have nothing to hand over. Your encrypted data lives on your devices, not on our servers.

Recovery Phrase

localWiki supports an optional 12-word recovery phrase (BIP-39) that you can set up during vault creation or later in Settings.

How it works

  1. During vault setup, after you create your password, localWiki generates a 12-word recovery phrase and displays it on screen.
  2. You write the phrase down on paper. The app asks you to verify 3 randomly selected words to confirm you recorded it.
  3. If you forget your password, click “forgot password? recover with phrase” on the unlock screen to enter your 12-word phrase and regain access.

Key details

  • The recovery phrase is generated locally and is never sent to any server.
  • It can unlock your vault and reset your password if you get locked out.
  • You can generate or verify your recovery phrase at any time from Settings > Security.
  • If you lose both your password and your recovery phrase, your encrypted secrets are unrecoverable.

Never store your recovery phrase digitally. Never share it. Write it on paper and keep it somewhere safe. Losing both your password and this phrase means permanent loss of your encrypted secrets.

How It Works

You set a password ──► key derived locally ──► secrets encrypted locally

                              localWiki servers know: nothing

The relay server (if used) sees only opaque encrypted payloads. It knows a workspace ID and which device IDs are online. It cannot correlate this to any content.

Why This Matters

Many tools claim to be “secure” while holding your encryption keys on their servers. If a provider can reset your password, they can read your data. localWiki eliminates that possibility entirely by ensuring the keys never exist outside your device.

What We Do Know

For transparency, here is what the relay server can observe if you use WAN sync:

  • Your workspace ID (a random UUID)
  • Device IDs and when they connect
  • Volume of encrypted data transferred (not content)
  • Your IP address during relay connections

We do not log this data beyond what is needed for active connections.

Last updated on
EncryptionData Sovereignty