Elmiva Vault
Sign in

Security / Architecture

Why Vault Uses UI Locking Instead of Client-Side Encryption

A lock screen is not encryption. That does not make it useless. It makes naming the boundary correctly the difference between a helpful control and a dangerous misunderstanding.

May 10, 2026 11 min read Security / Architecture Dawid Senko Dawid Senko Founder & Engineer at Elmiva Vault

The Problem Is the Open Browser

Some security problems are not grand cryptographic failures. They are ordinary human ones. A laptop is open in a meeting room. A screen share continues after the sensitive part of the call. A developer steps away with a secret reveal panel still visible. Someone copies a value and forgets the clipboard exists.

Vault's master password feature is built for that class of problem. The feature adds friction around accidental exposure inside an already authenticated browser session. It can require a local unlock before sensitive UI flows render normally, automatically lock again after inactivity, and provide a manual lock action when a user steps away.

This is useful. It reduces accidental exposure in the browser session and makes reveal and copy workflows less casually available. It is also deliberately not presented as the thing it is not.

What It Does Not Protect

The master password does not encrypt Vault data in the browser. It is not backend authorization. The server continues to trust the authenticated session and enforce its normal permission model independently of the UI lock state.

That distinction is central to the architecture rather than a small disclaimer. Backend security comes from authenticated sessions, workspace boundaries, resource permissions, envelope encryption, rate limiting, and audit logs. UI locking controls local interaction state. Mixing those concepts would make the product sound stronger while making operators less precise.

Why Not Client-Side Encryption Here?

Client-side encryption is a valid architecture for some products. It is also a product commitment, not a label you can add after the fact. If the browser owns the only decryption key, collaboration changes shape: server-side workflows lose context, automation needs new protocols, and audit semantics become harder to make honest.

Vault chooses a server-side collaboration model. The backend can enforce workspace membership, manage resource permissions, support rotation workflows, and produce structured audit events. Secrets are encrypted at rest with per-secret data keys wrapped by Google Cloud KMS. That is a different security boundary than end-to-end client encryption.

The tradeoff is real. Client-side encryption can reduce server trust for certain payloads. Server-side workflows can make collaborative operations, auditability, and managed rotation more practical. Pretending to have both without the complexity of both is the dangerous middle. Vault avoids that by calling the master password what it is: a UI gate.

Auto-Lock and Clear Behavior

Auto-lock is useful because unattended browsers are common. Vault supports lock behavior after inactivity, a manual lock action, and a reset path for users who forget the master password. Those controls belong to local session hygiene: making an open tab less casually usable and making the lock state explicit.

That matters because local exposure is practical. A lock-now action before handing a laptop to someone else is valuable. Auto-lock can prevent a forgotten tab from lingering on a shared machine. Clearing local unlock state reduces the chance that a stale browser session remains casually usable.

They do not replace secret rotation after a leak, revoking workspace membership, removing a secret permission, or changing the identity-provider session state. The correct control depends on the failure mode. If the value was copied, rotate it. If the person should no longer be in the team, remove workspace access. If the browser was left open, lock the UI.

Honest Boundaries Are Safer

The most dangerous security control is one whose name teaches the wrong response. If a user believes the master password is backend authorization, they may think locking the UI protects against API access from an already valid token. If they believe it is client-side encryption, they may think a server-side compromise cannot expose decrypted values handled by the backend. Those are different threat models.

Vault's safer position is narrower. The master password gates the local UI. Backend APIs enforce JWT and permission checks. Encrypted secret values are protected through KMS-backed envelope encryption. Secret reads are audited. Workspace boundaries decide collaboration scope. Each control has a job.

Use the Right Control During an Incident

Consider three incidents that look similar in chat but require different responses. A user left the app open on a conference room screen. Locking and auto-lock are the relevant controls. A contractor copied a restricted token before offboarding. Rotation, permission review, workspace membership cleanup, and audit review matter. A browser token was stolen. Identity session handling and backend authorization become central.

A product that calls everything "locked" blurs those responses. A product that names boundaries precisely helps operators choose the right move while the situation is still unfolding. That is why Vault's UI locking article is as much about language as implementation.

The conclusion is opinionated: a useful local control does not need to pretend to be cryptography. It should be sharp, visible, and honest. Security improves when each layer is allowed to be exactly what it is.