PE penclo.com privacy encloser

Your data, sealed.

A calm, deliberate enclosure for everything you choose to keep private.

end-to-end encryption zero-knowledge no telemetry
01 — promise

Privacy is patient.

penclo treats your information the way an old vault treats valuables: thick walls, quiet hinges, and one key that belongs only to you. There is no rush, no urgency, no dark pattern asking you to trade more for less.

We are an enclosure — a calm container for the parts of your digital life that deserve to stay yours.

02 — pillars

Three quiet guarantees.

Sealed at rest

Every record is sealed before it touches a disk. The seal opens only with a key that lives on your devices.

AES-256-GCM · per-record key

Sealed in transit

Your data is wrapped before it leaves your device and unwrapped only on the other side. The wires never see plaintext.

TLS 1.3 · X25519 · ChaCha20

Sealed from us

We hold opaque envelopes. We cannot read them, cannot index them, cannot hand a copy to anyone — including ourselves.

zero-knowledge · client-side
03 — how it works

From plaintext to sealed envelope.

  1. 01

    A key is born on your device

    When you first open penclo, a master key is generated locally and wrapped with your passphrase. It never leaves the device unencrypted.

  2. 02

    Each record gets its own seal

    Every entry is encrypted with a fresh per-record key, then that key is wrapped by your master key. Compromise of one record never reveals another.

  3. 03

    The envelope is mailed, not opened

    Sealed envelopes travel to penclo's storage. We receive opaque ciphertext, hold it, and hand it back only to a session that proves it has the key.

  4. 04

    Only your devices can break the seal

    Decryption happens inside your browser or app, in memory, and never on our servers. The seal opens for you and closes again after you look away.

04 — technical

For the careful reader.

Symmetric cipher AES-256-GCM
Key derivation Argon2id · m=64MiB t=3 p=1
Key exchange X25519 ECDH
Transport TLS 1.3 · HSTS · pinned
Server knowledge ciphertext + opaque metadata only
Audit independent · annual · published

Last audit cleared 2026-02-14 — report archived in our seal vault.

05 — enclose

Begin a quiet enclosure.

Reserve your handle. We will write to you when the seal is ready — once. No newsletter, no follow-up, no reminders.