NFC Encrypted Backup — Your Master Key on a Physical Tag

What if you could store your encrypted master key onto a tiny physical tag — and recover your vault on a new device with a single tap? That's exactly what VaultKeepR's NFC Encrypted Backup does. No cloud recovery. No "forgot password" email. Just cryptography and physics.

The Problem With Recovery Flows

Every major password manager relies on a centralized server for recovery. That creates multiple risks:

• Email-based recovery is a weak link. If your email is compromised, your vault is compromised.
• Servers store recovery tokens. Breaches at LastPass, Norton, and OneLogin have exposed encrypted data that can be brute-forced over time.
• You depend on the company. If the service shuts down or suffers an outage, your recovery path disappears.

VaultKeepR takes a different approach: your recovery key lives in your pocket, not on someone else's server.

What's Actually Stored on the NFC Tag?

Let's be precise: the NFC tag does not store your entire vault. It stores your encrypted master password (or biometric/Passkey-derived key). This is the secret that unlocks your vault — which itself lives on your device or on IPFS.

Think of it like a physical house key: the key opens the door, but it doesn't contain the house.

NFC Tag = Encrypted Master Key

Device / IPFS = Encrypted Vault



Master Key → Decrypts → Vault

The tag contains a single NDEF record with this structure:

┌──────────┬─────────────┬─────────────────────────────┐

│ Header   │ Nonce       │ Ciphertext                  │
│ "vk3:"   │ 24 bytes    │ Encrypted master key        │
└──────────┴─────────────┴─────────────────────────────┘

• Header: A magic identifier (vk3: or vk2:) that tells VaultKeepR this is a valid backup.
• Nonce: A unique 24-byte random value generated for each backup. Even if you write the same key twice, the ciphertext is completely different.
• Ciphertext: Your master password encrypted with XChaCha20-Poly1305. Without the decryption key, this is indistinguishable from random noise.

The Three-Factor Security Model

Here's the critical design decision: the NFC tag alone is completely useless. Decrypting the master key requires three independent factors:

Factor	What It Is	Where It Lives
1. Physical NFC tag	Nonce + ciphertext	In your pocket
2. Device secret	32-byte random key	Device Keychain (biometric-protected)
3. PIN code	User-chosen digits	Your memory

The encryption key is derived using HKDF-SHA256:

key = HKDF-SHA256(deviceSecret, salt = PIN, info = "vaultkeepr-nfc-v2")

Someone who finds your NFC tag gets nothing — they'd also need your specific device's secret AND your PIN. And the device secret itself is locked behind biometric authentication (Face ID / Touch ID).

How It Works — Step by Step

Writing a Backup (2 seconds)

1. VaultKeepR takes your master password (or Passkey/PRF key).
2. It encrypts it using XChaCha20-Poly1305 with a key derived from your device secret + PIN.
3. The encrypted payload is formatted as a compact vk3: string.
4. Hold your phone against the NFC tag — the payload is written via NDEF.

Restoring on a New Device

1. Install VaultKeepR on the new device.
2. Tap the NFC tag — VaultKeepR reads the encrypted payload.
3. Enter your PIN — VaultKeepR decrypts the master password.
4. The recovered master password unlocks your vault (from local storage or IPFS).

The tag gives you back your master key. The master key gives you back your vault.

Smart Payload Compression

NFC tags have very limited storage (137 to 888 bytes). VaultKeepR uses clever tricks to fit within these constraints:

Hex Compression for Biometric Keys

When you use passwordless mode with Passkeys, your master key is a long hex string (64+ characters). VaultKeepR detects this and compresses it to raw bytes before encryption — cutting the payload size in half:

Hex string: "a1b2c3d4e5f6..." (64 chars) → 32 bytes

Text password: "MyP@ssw0rd" (10 chars) → 10 bytes

A 1-byte flag (h for hex, t for text) is prepended so VaultKeepR knows how to decode on restore.

Format Auto-Selection

Format	Structure	Used When
v2	vk2:{nonce}:{ciphertext}	Short passwords (< ~53 chars)
v3	vk3:{nonce+ciphertext}	Longer keys (saves separator overhead)

VaultKeepR automatically picks the most compact format based on your key length.

Tag Capacity Guide

Tag Type	Storage	Fits
NTAG213	137 bytes	Most passwords and hex keys
NTAG215	504 bytes	All password types with margin
NTAG216	888 bytes	Maximum headroom

VaultKeepR detects the tag capacity before writing and warns you if the payload won't fit.

Security Analysis

What if someone steals my NFC tag?

They get an encrypted blob. Without your device secret AND your PIN, the data is useless. XChaCha20-Poly1305 with a 256-bit HKDF-derived key provides 256 bits of security — brute-forcing it would take longer than the age of the universe.

What if someone clones my NFC tag?

Same answer. A clone contains the same encrypted data. No device secret + PIN means no access.

Can someone modify the data on the tag?

XChaCha20-Poly1305 is an authenticated encryption scheme. If even a single bit is modified, decryption fails with a clear error. You get a rejection, not corrupted data.

What if I lose my phone AND my NFC tag?

This is where VaultKeepR's multi-path recovery shines. If you lose both:

• Your vault is still on IPFS (if you had sync enabled) — recoverable from any device with your wallet.
• Your Shamir recovery fragments can reconstruct your master key without any device.
• Your Passkey might still be synced via iCloud/Google to another device.

The NFC tag is one recovery path among several — not a single point of failure.

Passkey / Biometric NFC Backups

In passwordless mode, VaultKeepR stores the PRF-derived key (as compressed hex) instead of a text password. The security model is identical:

PRF Key (hex) → Compress to bytes → Encrypt with device secret + PIN → Write to NFC

On restore, the hex key is decompressed and used to unlock the vault directly — no password prompt needed.

Choosing the Right NFC Tag

Feature	NTAG215 (Recommended)	NTAG216 (Large Keys)
Storage	504 bytes	888 bytes
Price	~$0.30 each	~$0.50 each
Form Factor	Sticker, card, keychain	Sticker, card, keychain
Best For	Most users	Extra headroom

You can buy NFC tags on Amazon, AliExpress, or any electronics supplier. Look for NTAG215 or NTAG216 specifically.

Pro tip: Buy a waterproof NFC keychain tag. Attach it to your physical keyring. Your recovery key goes everywhere your keys go.

Why This Matters

In a world of constant data breaches and account lockouts, physical key backup gives you sovereignty over your recovery:

• Offline: Works without internet
• Instant: Write and restore in under 3 seconds
• Portable: Fits on a keychain
• Three-factor: Tag alone is worthless without device + PIN
• Private: No cloud, no account, no recovery email

Your master key isn't sitting on someone else's server waiting to be exfiltrated. It's in your pocket, encrypted with keys that exist only on your device and in your memory.

This is what true self-custody looks like.

---

Ready to try it? Download VaultKeepR and tap your way to a secure backup.