How Legyra protects vault content with client-side encryption, device-held keys, and privacy-first release controls.
Vault content is encrypted before it reaches Legyra.
Your vault content is encrypted on your device using locally protected key material. Legyra stores encrypted vault payloads and service records needed to operate accounts, contacts, subscriptions, and release workflows. Some account or operational metadata may be processed to run the service, but sensitive vault content is not stored as readable plaintext on our servers.
Vault content is encrypted and decrypted locally.
Encrypted vault payloads and service records.
Your device and PIN work together.
Key material is protected on your device where supported
A private code used locally to unlock your vault
The vault key is derived and protected on the device using your vault PIN and local key material. This raises the bar for remote attackers, but no security model is absolute; you should still protect your device, PIN, and backups.
Designed for high-pressure scenarios.
Legyra includes duress-aware controls in the backend and app architecture. Availability of the mobile duress flow depends on current app configuration; when enabled, it is intended to reduce exposure of real vault content and help trusted contacts understand a potential emergency.
Comprehensive security at every level.