Product walkthrough

How ntkMobile works.

Four steps. Zero plaintext leaves the device. No dumbing down.

Create a vault

Name it.
Set a password.

A 256-bit vault key is generated locally. It is wrapped with your password using PBKDF2 + HKDF and stored encrypted on-device. The key never leaves. Not for setup, not ever.

[ntk] vault_key = random_256bit()
[ntk] salt = random_16byte()
[ntk] wrapping_key = PBKDF2(password, salt)
[ntk] stored_key = AES_GCM_wrap(vault_key)
[ntk] server_transmission = none
status vault created · key local

Connect a provider

Choose your
cloud backend.

S3, OneDrive, Dropbox, Azure Blob, WebDAV, Google Drive, pCloud, MinIO — configure via OAuth or credentials. Provider secrets are encrypted with the vault key before storage. The vault key never leaves the device.

[rclone] provider = s3
[rclone] endpoint = configured
[ntk] secret = encrypted(vault_key)
[ntk] plaintext_in_memory = false
[ntk] plaintext_at_rest = false
status provider ready · secrets encrypted

Upload a file

Encrypt locally.
Upload ciphertext.

Files are encrypted with AES-256-GCM on-device before any network request. The cloud provider receives only ciphertext — no plaintext, no metadata that reveals content. Authentication on every request is DPoP-bound to your device key.

[ntk] plaintext = read(local_file)
[ntk] nonce = random_12byte()
[ntk] ciphertext = AES_GCM_encrypt(plaintext)
[ntk] plaintext = zeroized()
[ntk] upload(ciphertext) → provider
cloud sees ciphertext only

Access anywhere

Download.
Decrypt on demand.

Files are downloaded and decrypted in memory when you open them. Temporary local copies are managed by the Zero Trust TTL sweep — unpinned files are automatically removed after the configured timeout. Nothing lingers on-device.

[ntk] ciphertext = download(provider)
[ntk] plaintext = AES_GCM_decrypt(ciphertext)
[ntk] open_with(app, plaintext)
[ntk] session_end → zeroize(plaintext)
[ntk] ttl_sweep → remove(local_copy)
after TTL nothing on device

Ready to take control
of your files?

Get Early Access Read the security spec