Skip to content
ARCA
Features Security Pricing Blog FAQ Get Arca free

Security & encryption

How Arca actually keeps photos private

Most “vault” apps hide your photos behind a password while the files stay readable on disk. Arca encrypts them, with verifiable cryptography and nothing stored on any server. Here's exactly how.

Per-file encryption

Every photo and video gets its own random AES-256-GCM data key. Files are encrypted in 128 KiB chunks with counter nonces and authenticated additional data binding each chunk to its position, so tampering is detectable.

Key derivation (Argon2id)

Your PIN is never stored. It's run through Argon2id (64 MiB memory cost) to derive a key-encryption key, which wraps the vault master key. Brute-forcing is deliberately slow and memory-hard.

Secure Enclave biometrics

Face ID / Touch ID unlock is backed by the Secure Enclave using a key bound to your current biometric set — change your face/fingerprint enrollment and the biometric path re-locks.

Encrypted thumbnails & metadata

Previews and the metadata manifest are encrypted too — sealed with a key derived from the vault master key. Even the grid you scroll is decrypted in memory, not read from plaintext on disk.

Streaming video decrypt

Videos play through a resource loader that decrypts on the fly. Full-resolution clips are never written to disk in the clear, not even to a temporary cache.

No server, by design

There is no account, no sync backend, and no telemetry on your media. The master key exists in plaintext only in memory, only while the vault is unlocked.

The key path

From your PIN to your photos

  1. 1

    You enter your PIN. It is never stored or sent anywhere.

  2. 2

    Argon2id (memory-hard) turns the PIN into a key-encryption key (KEK).

  3. 3

    The KEK unwraps the Vault Master Key (VMK), which lives only in memory.

  4. 4

    Each file's individual AES-256 data key is unwrapped from the VMK on demand.

  5. 5

    Photos, thumbnails, and metadata are decrypted in memory as you browse — never to disk.

  6. 6

    Lock the app and the VMK is wiped from memory. Without your PIN, the vault is just ciphertext.

Promises we don't break

Security invariants

  • No plaintext media bytes ever touch disk — including thumbnails, caches, and temp files.
  • Your PIN is never stored anywhere; only a memory-hard derived key wraps the vault.
  • Changing your PIN re-wraps the master key only — your photos are never re-encrypted or exposed.
  • Exports and backups are explicit actions you take. Nothing auto-uploads, ever.
  • A lapsed subscription never locks you out of photos you've already imported.

The honest part

Don't take our word for it

Independent security researchers have repeatedly shown that popular photo “vaults” weren't really encrypting anything. We build the opposite way.

“Researchers broke into popular iOS photo-vault apps in under 30 minutes on average, because photos were stored unencrypted and credentials sat in plaintext databases.”

IOActive

“A forensic teardown of a top-ranked “private” photo vault found photos stored with no real encryption at all.”

Zdziarski

FAQ

Security questions

What encryption does Arca use? +

AES-256-GCM for content, with a unique data key per file, counter nonces, and authenticated additional data per chunk. Keys are derived from your PIN using Argon2id (64 MiB memory cost), and the biometric path is backed by the Secure Enclave.

Can Arca (or anyone) recover my vault if I forget my PIN? +

No. Arca is zero-knowledge — your PIN is the only key and it's never stored or transmitted. We cannot reset it or read your vault. Keep an encrypted backup and remember your PIN.

Does any photo data leave my device? +

No. Arca has no server and no account. Backups and exports only happen when you explicitly create them, and the backup file is encrypted before it leaves the app.

Your photos. Truly private.

Download Arca and lock your first photos away in under a minute. No account, no cloud, no one but you.

Download on the App Store

Free to download · iPhone · iOS 18+