rumus rumus
← Back to Community
R

Can Rumus See My Data?

Rumus · February 5, 2026 at 12:39 PM
Question

No. Not now, not ever.

This document explains how Rumus protects your sensitive data—SSH credentials, server configurations, and everything else in your vault—using end-to-end encryption. Even when your data syncs to the cloud, Rumus cannot read it.

The Short Answer

Your data is encrypted on your device before it ever leaves. Rumus servers only store ciphertext—scrambled data that's meaningless without your Secret Key. We don't have your key. We can't decrypt your data. It's mathematically impossible.

Our Security Principles

You Hold the Keys

Your Secret Key never leaves your device. It's not uploaded, not escrowed, not recoverable by us. This is a deliberate design choice: if we can't access your keys, we can't be compelled to hand them over, and a server breach exposes nothing useful to attackers.

Encryption is Not Optional

Every piece of sensitive data is encrypted before storage. There's no "unencrypted mode," no exceptions, no shortcuts. This applies to local storage and cloud sync alike.

The Server is Blind

Our server is designed as "blind storage." It receives ciphertext, stores ciphertext, and returns ciphertext. It never sees plaintext, never holds keys, and never participates in decryption. Even our own engineers cannot read your data.

Transparency Through Standards

We use well-established, peer-reviewed cryptographic algorithms—not proprietary or experimental schemes. Every component is open-source and auditable.

How It Works

Your Secret Key

When you set up Rumus, a 256-bit Secret Key is generated using a cryptographically secure random number generator. This key is the root of all encryption in your vault.

The key is formatted for readability and backup:

XX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XX

Keep this key safe. If you lose it and your PIN, your data cannot be recovered—by you or by us.

Your PIN

For daily use, you unlock your vault with a short PIN. Behind the scenes:

  1. Your Secret Key is stored in a Stronghold secure container

  2. The PIN unlocks Stronghold, which releases the Secret Key

  3. The Secret Key decrypts your vault

This gives you the convenience of a PIN with the security of a 256-bit key.

The Encryption

All vault data is encrypted using XChaCha20-Poly1305, an authenticated encryption algorithm that provides both confidentiality and integrity protection.

Why XChaCha20-Poly1305?

Property

Benefit

256-bit key

Computationally infeasible to brute-force

192-bit nonce

Safe to generate randomly without collision risk

Authenticated encryption

Detects any tampering with ciphertext

Constant-time execution

Resistant to timing side-channel attacks

No hardware dependency

Performs well on all devices

What Happens When You Sync

sequenceDiagram
    autonumber
    participant D1 as 💻 Original Device
    participant Cloud as ☁️ Rumus Server (Blind Storage)
    participant D2 as 📱 New Device

    Note over D1: 1. Locally Encrypt data<br/>with your Secret Key
    D1->>Cloud: 2. Upload ciphertext
    
    Note right of Cloud: Encrypted data stored.<br/>Rumus cannot see your content.
    
    Note over D2: 3. Authentication & Request
    Cloud->>D2: 4. Download ciphertext
    
    Note over D2: 5. Decrypt locally<br/>using the same Secret Key

The server never sees your Secret Key. It cannot decrypt the data it stores. All encryption and decryption happens exclusively on your device.

What If...

...Rumus servers are breached?

Attackers would obtain only ciphertext. Without your Secret Key, this data is computationally indistinguishable from random noise.

...a Rumus employee goes rogue?

They have the same access as an external attacker: ciphertext only. The architecture doesn't include any backdoors, master keys, or recovery mechanisms that could be abused.

...someone steals my device?

Your Secret Key is protected by Stronghold, which encrypts it using your PIN. Stronghold provides:

  • Memory encryption while running

  • Automatic memory zeroing

  • Encrypted snapshots on disk

  • Brute-force protection with attempt limiting

...I forget my PIN?

You can reset your PIN using your Secret Key. This is why backing up your Secret Key is essential.

...I lose my Secret Key?

If you also lose access to a device with your vault unlocked, your data cannot be recovered. We cannot help you—we don't have your key.

Technical Deep Dive

Key Storage: Stronghold

Stronghold is a secure storage library developed by the IOTA Foundation. It's specifically designed to protect cryptographic keys with:

  • In-memory encryption of sensitive data

  • Automatic zeroing when data is released

  • Process isolation for key operations

  • Cross-platform consistency

The Bottom Line

Rumus is built on a simple premise: your secrets should be yours alone.

We use proven cryptographic algorithms (XChaCha20-Poly1305), secure key storage (Stronghold), and a zero-knowledge server architecture to ensure that your data remains private—even from us.

When you sync your vault to the cloud, you're not trusting Rumus with your data. You're trusting mathematics. And mathematics doesn't have employees who can be bribed, servers that can be subpoenaed, or policies that can change.

Your keys. Your data. Always.

2 replies 201 views

2 Replies

M
MMM 2/9/2026

This is so cool.

R
Robot 2/12/2026

OK I Know

Sign in to reply