Start for free
Pivlu AI Assistant
Suggested questions
Powered by AI. Answers are based on Pivlu product documentation.
Pivlu Vault
Get started today Get started

Auto-Lock —
keys purged from memory when you walk away

An unlocked vault on an unattended computer is a security risk. Auto-lock closes that window — after 15 minutes without interaction, decryption keys are removed from browser memory and the vault requires your master password to re-open.

Open Your Vault
15 min
Auto-lock timeout
Instant
Manual lock
0
Keys remaining after lock
Master PW
Required to re-open

How Auto-Lock Works

Not just a UI lock — actual cryptographic key removal from browser memory.

15-Minute Inactivity Timer

The inactivity timer resets on every user interaction — page navigation, item click, form field input, scroll. As long as you're actively using the vault, it stays open. After 15 consecutive minutes with no interaction, the lock triggers automatically. The timer runs in the browser independently of server-side sessions.

Keys Cleared from sessionStorage

Decryption keys are stored in browser sessionStorage during an active vault session — they are never written to localStorage (which persists across browser restarts) or cookies. When the vault locks, sessionStorage is cleared. The keys no longer exist anywhere in the browser. Re-deriving them requires entering your master password again.

Server Session Marked Locked

On lock, the browser notifies the server to mark the session as locked. All vault API routes check session lock status before returning data — even if someone somehow obtained a valid session cookie, they could not fetch vault data from a locked session without re-authenticating with the master password.

Quick Resume After Unlock

Re-entering your master password on the lock screen derives the encryption keys in the browser (~300ms). The server verifies your auth key and returns any updated vault data. Your vault reopens exactly where you left it — same folder, same view, same search context. Unlocking is designed to be fast despite the key derivation cost.

Manual Lock & Controls

Lock immediately when you need to — don't wait for the timer.

Lock Vault Button

A "Lock Vault" button is always accessible in the sidebar. Click it before stepping away from your desk, before handing your laptop to someone, or any time you want immediate protection. Manual lock is instantaneous — keys cleared, session marked, lock screen shown in under 100ms.

Tab & Browser Close

When you close the browser tab or window, sessionStorage is automatically cleared by the browser — your decryption keys are gone. Opening the Vault URL again starts a new session and requires master password entry. There is no "remember me" for vault decryption.

Independent of Pivlu Account Session

Auto-lock is separate from your Pivlu account login session. You can remain logged in to your Pivlu account while the vault is locked. Unlocking the vault re-derives only the vault keys — it does not re-authenticate your account session, keeping the two security layers independent.

What happens when the vault locks

1

Keys Removed from Memory

All encryption and vault keys are removed from sessionStorage. JavaScript variables holding key material are cleared. There are no decryption keys remaining in browser memory.

2

Server Session Locked

The server marks the session as locked. Vault API routes return 423 (Locked) for any request against a locked session — even a valid session cookie cannot fetch vault data.

3

Lock Screen Shown

The current page is replaced with the lock screen. No vault content remains visible. Entering the master password re-derives the keys and resumes the session without a full page reload.

Scenarios auto-lock protects against

Unattended Computer

You get up to grab a coffee and leave your vault open. Someone sits down at your desk. Auto-lock means they're greeted by the lock screen, not an open vault with your credentials visible.

Shared or Borrowed Computer

You log in to your vault on a coworker's computer. When you're done and close the tab, the session storage is cleared. There are no credentials cached anywhere on their machine.

Session Hijacking Attempts

Even if an attacker obtained your session cookie through XSS or network interception, the locked server session prevents any vault API calls from succeeding. The cookie alone is not enough.

One platform. Built for businesses, teams, and creators.

12 powerful products to build, manage, and grow — all under one roof.

Workspace Commerce Sites Analytics CRM Marketing Booking Forms Desk Consent Vault Studio
Get started for free