Security at Locki

Name: Locki Security
Brand: Locki

Security is at the heart of Locki. We built our platform with one principle: your plaintext data should never leave your browser — ever. This page outlines our security architecture and what it means for your organization.

1. Local Encryption

All encryption and decryption happen locally in your browser. Locki never transmits, stores, or accesses your plaintext. Your encryption keys remain entirely under your control — the extension uses them only in memory, never sending them in plaintext to any server.

2. Zero Knowledge Architecture

We designed Locki with a strict zero-knowledge model. Even for org keys stored on our servers — they are stored AES-GCM encrypted with a key derived from your organization's master secret. We store encrypted blobs, not usable keys. Even if our database were compromised, your keys would remain protected.

3. Encryption Standards

Locki uses AES-256-GCM — the same algorithm used by financial institutions, governments, and cloud providers for protecting sensitive data. Every encrypted payload includes a unique 12-byte IV to prevent replay attacks. This is implemented using the browser's native Web Crypto API, not third-party libraries.

4. No Plaintext Data Collection

Locki does not collect the content of what you encrypt. Audit logs capture metadata only — actor, action, key ID, timestamp, and web app URL — never the plaintext or ciphertext of your messages. This design ensures GDPR compliance by default.

5. Open Source Cryptography

We believe privacy tools must be verifiable. Locki's core cryptographic primitives are published as open source — github.com/locki-hub/locki-crypto — and available as an npm package (@lockisecurity/crypto-core). The encryption format, IV handling, and key derivation can be independently reviewed, audited, and reused by anyone.

6. Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability in Locki, please contact us immediately at contact@lockisecurity.com. We take every report seriously and respond promptly.

Last updated: April 27, 2026