Trusted by millions, built into Cloak

Cloak uses the Signal Protocol, the same end-to-end encryption standard trusted by Signal, for secure key exchange between users. Curve25519 key pairs and the Double Ratchet Algorithm ensure that every session produces unique encryption keys.

Military-grade cipher, per-message randomness

Every message is encrypted client-side with AES-256-GCM, an authenticated encryption standard used by governments and financial institutions worldwide. Each message gets a unique, cryptographically random initialization vector (IV), so identical messages produce completely different ciphertext. The authentication tag ensures messages cannot be tampered with in transit.

We can't read your messages. By design.

All encryption and decryption happens entirely on your device. The server only ever sees encrypted blobs, never plaintext. Even Cloak's own infrastructure cannot access your messages, files, or call content. Your data is yours alone.

Unique keys for every DM and every room

Each direct message conversation and each server room uses its own unique encryption key derived from Curve25519 key pairs. Room owners can cycle encryption keys at any time, instantly revoking access for removed members and generating fresh keys for the room.

You hold the master key, not us

At account creation, Cloak generates a 64-character cryptographically random secret key that only you possess. This key encrypts your identity keys with AES-256-GCM before they are backed up to the server. Without your secret key, your identity and message history cannot be recovered, not even by Cloak.

End-to-end encrypted calls, frame by frame

Voice and video calls are protected with end-to-end encryption using the WebRTC Insertable Streams API. Every audio and video frame is encrypted before it leaves your device, ensuring that call content is only accessible to participants: not the server, not intermediaries, not anyone else.