← All guides

Encrypted Backup (.avbk format)

3-minute read · v1.2 · Free, Pro, & Collector+

AssetVault is offline-first — your inventory lives on your device. But devices break, get stolen, or get replaced. Encrypted Backup wraps your full vault in a password-protected file you can safely upload to iCloud, Google Drive, Dropbox, or attach to email. The password never leaves your device. AssetVault cannot decrypt it. Neither can anyone else.

How it's encrypted

Each .avbk file is an envelope built from three primitives:

• AES-256-CBC — AES with a 256-bit key in cipher-block-chaining mode. Industry-standard symmetric encryption.
• PBKDF2-SHA256, 100,000 iterations — turns your password into the encryption key. The 100K iterations slow down brute-force attacks by 5+ orders of magnitude.
• HMAC-SHA256 — authenticates the ciphertext so a tampered backup file fails to decrypt instead of producing garbage.

The encrypt-then-MAC envelope means even one byte changed in the file causes restore to fail cleanly. No partial decryption, no silent corruption.

Why we chose this design

The brand pillar is "we can't leak what we don't have." Encrypted Backup extends that to your cloud storage too:

• You set the password. AssetVault never sees it. We don't store it anywhere — not even hashed.
• No master key. There's no AssetVault-side recovery flow. If iCloud / Dropbox / your phone all fail at once, we can't help. Save the password the way you save your most important records.
• The password is held in component state during the modal flow only, then discarded when the modal unmounts. It's not persisted to SecureStore, not written to logs.

Make a backup

1. Open Settings → Encrypted Backup (recommended for cloud).
2. Type a password. Make it long (15+ chars), unique to this backup, and write it down somewhere offline.
3. Confirm the password. AssetVault generates the .avbk file and hands it to your share sheet.
4. Pick where to save: Files (local), iCloud Drive, Google Drive, Dropbox, email to yourself, AirDrop to a Mac, etc.
5. The success toast confirms the backup ("Vault backed up — 247 items, 18.4 MB"). Item count + file size lets you verify the export captured everything.

Restore from a backup

1. Install AssetVault on the new device.
2. Settings → Restore. Pick the .avbk file from your share sheet.
3. AssetVault detects the encrypted format and prompts for the password.
4. Type the password. Wrong password? AssetVault refuses to decrypt and re-prompts — the file picker stays cached so you don't pick it again.
5. Right password? Your full vault restores. Item count appears in the success toast.

Encrypted vs cleartext backup

Settings has two backup options:

• Backup (JSON) — cleartext export for same-device round-trip. Smaller file, faster, but DON'T upload it anywhere because anyone who finds the file can read your inventory.
• Encrypted Backup (.avbk) — password-protected. Recommended for any cloud storage, email, or sharing across devices.

If you're moving to a new phone or want the safety net of a cloud-stored backup, use the .avbk path.

What's in a backup

A .avbk file contains your full vault metadata: every item, every value, every condition, every score, every reminder, every loan, every maintenance log, every condition-timeline entry, every flag-check history record, every wishlist entry. It does not contain image binaries — only file references. For full migration including photos, use Settings → Full Export (ZIP), which bundles everything but isn't encrypted (yet).

Threat model

Encrypted Backup defends against:

• Cloud storage breach (iCloud / Dropbox / Drive). The attacker gets ciphertext + a 100K-iteration PBKDF2 derivation in the way of every guess.
• Lost phone with the .avbk file in iCloud. New phone restores from the backup with your password.
• Accidental email forward. The recipient can't open the file without the password.

It does not defend against:

• A password you wrote in plaintext next to the backup file.
• An attacker with months of compute and a weak password (8 chars all lowercase). 15+ char passwords with mixed case, numbers, symbols are practically uncrackable.
• Loss of the password. There's no backdoor.

Get AssetVault More guides