VESvault
Simple, Safe, Secure
Making encryption
universally practical
VES can be integrated with any App
to make e2ee safe to use
with all user data-at-rest
Learn more
VES establishes a new paradigm in the combination of safety from key loss,
and the full security of undiluted end-to-end-encryption (e2ee). In the past, users
would have to choose between uncompromised e2ee with no chance of
recovering encrypted content if the key is lost, and giving a third party a
copy of the encryption key for some safety but at the price of diminished
privacy and a substantial risk to security.
With VES, users can maintain the integrity of e2ee security
while also having safety from key loss. This unique combination enables e2ee
for data-at-rest to be practical for mainstream use, and applicable
in places were it currently is not used.
Go to the Safety section below to learn more about how VES
can reduce the risk of key loss to lower than 1 in 14 trillion!
Those odds are much lower than any other key recovery method of which we know.
Not only does VES provide safety without compromising security, it can provide
a new benchmark in that level of safety too.
Go to the Security section below to learn more about the preservation of
e2ee and other security measures of VES.
Hide
The easiest and best way to create a VES account is through a VES enabled app,
such as VESmail.
Download the VESmail app, select the ADD EMAIL button, enter an
email address and a security link is emailed to you.
Open it to create a 4-8 digit PIN, and in doing so both a VESmail and a connected VES
account are created simultaneously for the same email address.
Then setup VESreovery by entering the email addresses of a few friends,
who will be able to assist you in recovery after they setup their VES acounts.
For some VESmail Enterprise situations, your VESreovery may be already set up
by the Enterprise administrator.
There may be additional setup steps for the
VES connected app. With VESmail, this pertains to configuring the email app
with new settings that are single-click copied from your VESmail Account
Manager page and pasted into the exactly matching fields in your email app.
There's no guess work, so it's simple to do.
You essentially repeat the above process when you want to add another
device for your VES enabled app, but with one
step swaped out for another. Instead of receiving an email with a link,
you will enter your PIN on the device that already has your VES account connected
to it to enable the same VESkey on the new device. Simple. Fast.
You can also add your VES account to another device without including VESmail
in the process, by using the drop down menu on the upper left on this page.
But, if you're going to use VESmail on the device, it's faster and easier to do it
while using the VESmail app to setup VESmail for the device.
Generally, VES works invisibly behind the scenes and your never
need to think about it. Some VES enabled apps may require you to enter
your PIN for extra security, but that it up to the app developer.
VESmail does not require entering your PIN. Moreover, VESmail also works invisibly
behind the scences in the normal use of your email.
Hence, the VES/VESmail combo is invisible and seamless to use.
After VES is setup, including setting up your VESrecovery settings, the only
time you'll ever need to manually use VES is to enter your PIN to: 1) add another device;
2) access your encryption keys; 3) change your VES account settings; 4) assist
a friend in key recovery. None of these events should happen often, if at all.
You may want to use the same PIN for every device - one you won't forget.
Learn more
Hide
1 in 14 trillion...VESrecovery can be that safe from key loss...read onward...
VESrecovery is the 3rd of 4 cascaded levels of redundancy that
protect your encrypted content from key loss. Because VESrecovery is
so innovative in setting a new benchmark level of safety, we have to talk about it first.
As mentioned, by itself VESrecovery can lower the estimated odds of failure
to recover encrypted content due to key loss to less than 1 in
14 trillion, and even drop them much lower than that! This is an incredible achievement.
Of course, the effetiveness of VESrecovery is dependent upon having a properly setup VESrecovery network
of friends with operational VES accounts.
The 1 in 14 trillion estimation is based on a network of only 7 friends,
each having more than one device with their connected VES accounts, and any
2 of the 7 being able to assist you by entering their PINs on one of their devices.
What are the odds that any single person - you or your friends - either forgets their PIN
or the local storage in all the browsers on all their devices becomes inaccessible simultaneously?
Does this happen once every 100 days, or 1%? Probably not. So we went with 1% to be conservative.
Using that 1%, and needing 2 of the 7 to be operational results in the 1 in 14 trillion.
And, if your seven friends each have seven unique friends of their own, the cascading effect
of this viral network dramatically lowers the odds even more. There's no limit to the depth of your
VES network.
Use the FUN MATH VESrecovery interative calulator to recreate these odds,
or change the inputs to estimate risk scenarios for your personal situation.
It only gets better because VESrecovery is just one of four levels
of redundancy in protecting you from key loss.
Suppose you are using VESmail, the VES enabled app for e2ee email.
Being a seperate app from VES, VESmail has its own dedicated app encryption key.
No other app uses this key. The VESmail app key replaces the password stored
in all your email client apps. Your PIN, and hence
your VESkey (master encryption key) is not used for the operation of VESmail.
All that matters is that the VESmail app key
safely remains in the password field in your email apps on all your devies.
So, the first level of redundancy is the integrity of the multiple email apps on all your devices.
If you alter the password field, delete or crash your email app, this app key will be lost and
you will need to go to level 2.
If you've lost your app key and need to get a copy of it, you can use your PIN, and hence VESkey,
to retrieve a copy of it from your encrypted primary vault. Your PIN, in conjunction with VESlocker,
decrypts the copy of your VESkey stored in the local storage of your browser on any
of your browser/devices that have been enabled with your VES account.
Simply go the VESvault.com, selet the appropriate account
and then enter the PIN. From there you can use the drop down
menu to view your keys and copy the lost app key to repaste it back into the app. It's that
simple and takes about as much time to do as it takes to read this paragraph.
But, what if you forgot your PIN, or you lost all your devices, or somehow the local storage of
the browsers of all your devices has been erased? Then it's on to the next leve, VESrecovery,
which is level 3 and was already addressed above.
In the very improbable event that you got to VESrecovery and it did not work, then you can
go to level 4.
When it comes to encryption, you should ALWAYS have paper copies of your VESkey and app keys
stored safely in one or more separate locations. Write them down on paper and
put them some place safe.
Never store an electronic version of your encryption keys
on your devices because your computer, phone
or tablet might get backed up to the cloud.
If it does, there will be a readable copy or your keys in the cloud.
That's very bad. If you really must have an electronic copy, store
your keys on a thumb drive that never gets backed up to the cloud.
Learn more
Hide
VES uses open source, industry standard encryption alogorithms,
which have never been known to have been hacked.
Your VESkey is the master key required to decrypt all of your encrypted content in your primary VESvault.
The only place your VESkey resides is the local storage of the browsers on each of your
devices that have been enabled with your VES account. There are no other copies of your
VESkey, anywhere. It is not shared with anyone, including VESvault Corp.
Your VESkey is stored similarly to how your passwords to various websites are stored in your browser,
but it is also encrypted with your PIN for extra security. Without your PIN, your VESkey is inaccessible.
For added security to guard against multiple PIN hacking attempts, your PIN works with a special component
that resides in our innovative VESlocker in the cloud. By itself, this component is useless in decrypting
your VESkey.
All encryption and decryption occurs on the same local device on which the VESkey is stored, achieving
full end-to-end encryption.
VESrecovery is a breakthrough innovation of a highly reliable way
to recover encrypted content if the master key is lost or inaccessible,
without creating the risk of collusion from friends who have tokens
that can be combined to construct an encryption key. It eliminates the collusion
backdoor that otherwise dilutes the security of end-to-end encryption.
The cornerstone the enables VESrecovery to mitigate collusion risk
is the use of a shadow vault and shadow key.
The shadow vault is a mirror image of the content in the primary vault, but with the
critical distinction that it is not encrypted by the VESkey but rather by
the shadow key. The VESkey cannot decrypt the shadow vault and the shadow
key cannot decrypt the primary vault. The shadow key is encrypted by the recovery key.
Using a process similar to Shamir's, the recovery key is converted into a series of tokens,
each of which is useless by themselves in reconstructing the recovery key. A pre-defined
number of these tokens must be used collectively to reconstruct the recovery key.
The best way to show that the collusion risk is neutralized is to walk through
the path a collusion hack would have to take to be successful.
The first barrier is that this risk is limited to the small number of people
the you personally know and selected as friends to help you in VESrecovery.
What are the odds that two or more of the ten or so of these trusted friends
actually have nefarious intentions towards you?
The second barrier is that if you've set up VESrecovery properly, it takes tokens from
multiple friends to recreate the recovery key. How would one nefarious person mistakenly selected by you,
identify who your other friends are because that information is not
available to them through VESvault. Then that person risks reaching out to sway your other friends to partake
in this plot against you because it can't be a pre-arrange team.
The third barrier is that even if they were technically competent enough to reconstruct your recovery key,
it is useless to them. Your recovery key is different from your VESkey, so it is useless in
decrypting any of the contents of your primary vault.
It's also useless in decrypting your shadow vault because the shadow key is needed for that.
Thus, they need your encrypted shadow key along with your encrypted shadow vault and the only way to do
that is a backend hack into the VESvault system. That backend hack is the third barrier to this
collusion risk path. For security reasons, we don't disclose our internal security measures,
so let's just say that we use state-of-the-art security measures
in terms of protecting the encrypted content in VESvault.
Even if a hacker were to get access to one of your devices, they could
not gain access to your primary vault without your PIN. Assuming they don't
know it, they only way to get it would be brute force multiple attempts.
VESlocker ensures this can't happen. VESlocker shuts down
access after multiple failed PIN entries. Since VESlocker holds a critical piece
that is necessary in use with your PIN to decrypt your VESkey, the hacker cannot
gain access to your VESkey without VESlocker approval. Thus, a front door hack of using
your PIN on your VES enabled device is mitigated.
VESlocker essentially creates hardward level PIN access security for software. So, we
made it open source so that other SAAS providers can benefit from this technoloy.
Security Time Delay is a breakthrough innovation that acutally
gives you the ability to stop any front door hack in progress, before the attack
can be completed. You don't have to rely on technology to stop the hack. It puts you control!
Security Time Delay was an essential design aspect in
the creation of the shadow vault. It is complementary to VESlocker in that while VESlocker
blocks a front door hack by a bad actor attempting to gain access to your primary vault via
your PIN, Security Time Delay blocks the end around approach of a hacker who may or may not
have access to one of your devices but is bypassing the PIN process by initiating VESrecovery
on behalf of your account.
When you setup your VESrecovery settings you specify the duration of your Security Time Delay.
This safeguard delays transmitting the encrypted contents of your shadow vault until the time duration expires.
Whenever VESrecovery is initiated for your account, an email alert is sent to your email address notifying
you and giving you the option to stop the process by entering your PIN if you did not initiate it.
As long as you have access to one of your devices that is both VES enabled and receives email, you
will get the alert and be able to stop the hack.
You should set the time delaay a little longer than the
worse case scenario time duration between occurrences of accessing your email account.
For instance, 12 hours may be sufficient since it more than covers the amount of time
you're asleep. Or, perhaps a day or two or even a week or so would be better if you're off grid
for a number of days. Since it's user adjustable, you can set the ideal duration for you.
Learn more
Hide
Open
Try changing numbers in the yellow boxes to see the estimated probability of VESrecovery.
Level 0 |
Odds Of Losing Your Data
|
Just You
total people in your network.
|
1 in
|
Level 1 |
Odds Of Losing Your Data
|
+ Your Friends
total people in your network.
|
1 in
|
Level 2 |
Odds Of Losing Your Data
|
+ Your Friends' Friends
total people in your network.
|
1 in
|
Level 3 |
Odds Of Losing Your Data
|
+ Your Friends' Friends' Friends
total people in your network.
|
1 in
|
Level 4 |
Odds Of Losing Your Data
|
+ Your Friends' Friends' Friends' Friends
total people in your network.
|
1 in
|
Level 5 |
Odds Of Losing Your Data
|
+ Your Friends' Friends' Friends' Friends' Friends
total people in your network.
|
1 in
|
L is defined as Level.
Disclaimer: The probabilities generated in this calculator are estimates only. The
calculator can not and does not represent or guarantee the true probability of key
loss or VESrecovery. Factors affecting reliability include, but are not limited to: the number of friends
in the network, the number of friends chosen by each user to achieve VESrecovery, the number of connected devices,
and the probability that any individual user will not lose their VESkey. The actual
level of reliability is completely determined by each individual user's VES network and
VESvault Corp makes no representations or guarantees about the reliability of VES
recovery for any individual's VES network. VESvault Corp cannot assist in setting up a VES network
nor can it recover any lost content or VESkeys.
Hide