OC Vault
Encrypted secrets storage, sealed by a key OrangeCheck never sees. vault.ochk.io is a commercial sub-product of OrangeCheck, parallel to me.ochk.io. It is the consumer-facing productization of OC Lock Flow 4 — the self-vault ("password manager") pattern: one OC identity, many encrypted entries, all sealed under a key only your browser, your extension, or your CLI holds.
The pitch is one sentence: a password manager that physically cannot read your data. OC holds ciphertext and nothing else. Even with full database access there is no entry name, no type, no payload to read.
Three structural differences from a conventional password manager
| No OC account | Your OrangeCheck identity (Bitcoin wallet via BIP-322, or a federation-custodied identity via email-OTP) is the account. There is no master password to reset, because there is no account to attach a reset to. OC never sees a wallet key and holds no decryption backdoor. |
| Cryptographic contract = product contract | The promise "only the passphrase decrypts" is not a policy — it is the architecture. The server stores opaque AES-256-GCM ciphertext keyed by a random envelope id. |
| Zero lock-in by construction | Every entry exports as a portable JSON snapshot. @orangecheck/vault-core from npm decrypts that file from any backup, forever — even if vault.ochk.io disappears. |
What you can store
Ten entry types, each a self-contained AES-256-GCM blob:
- password — username, password, URL, an optional one-time-password (TOTP) field, notes
- totp — a standalone authenticator entry; the 6-digit RFC 6238 code rotates live in the list
- api-key — service, key, URL, notes — for
OPENAI_API_KEY-shaped secrets - env — a bundle of
KEY=valueenvironment variables, addressable by key from the CLI asocv://personal/<bundle>/<KEY>. The natural shape for.envfiles and CI config - card — cardholder, number, expiry, CVV, PIN, billing ZIP; the list shows only the last four digits
- identity — name, email, phone, company, address — the form-filler block
- note — free-form encrypted text
- kv — a single key/value pair, for recovery-code walls and miscellany
- file — up to ~1 MB of binary payload
- seed-phrase — provided for BIP-39 passphrases and non-Bitcoin recovery phrases only. Not for Bitcoin seeds — those belong on metal, offline. The editor shows a warning when this type is selected.
Every type also carries free-form tags, a favorite flag, folders, and arbitrary custom fields.
Built-in security tooling
- Vault health audit — flags reused, weak, and insecure-URL passwords entirely offline. An opt-in breach scan checks each password against Have I Been Pwned using k-anonymity: only the first five hex characters of a SHA-1 hash leave the device. See Security.
- Generator — cryptographically-random passwords and diceware-style passphrases, with a live entropy readout.
- Auto-lock — configurable idle timeout that clears all decrypted state.
- Clipboard auto-clear — a copied secret is wiped from the clipboard after a configurable delay.
- Trash — deletes are soft; entries can be restored, and the tombstone propagates through cloud sync.
- Password history — superseded password values are retained per entry.
- One-time share links — send any entry via a URL whose fragment carries the decryption key; the server stores only ciphertext and the row self-destructs on first retrieval.
Team vaults · share with people you trust
The Family Circle tier opens a parallel vault you share with up to 10 identities. Each team is sealed under its own 32-byte team key; you hand that key to a new member through an invite URL whose fragment carries the key (fragments never leave the browser, so OC never sees the key). Roles — owner, admin, member, viewer — gate writes and management. See Teams.
The collaborative signal is different from personal sync. Personal asks "are my local edits backed up yet?" — team asks "how fresh is what I'm looking at relative to my teammates' writes?". The team vault polls every 8 seconds while the tab is visible and surfaces a liveness tile in the dashboard (last-refresh time, "refreshing…" mid-tick) plus a manual refresh button. Advisory edit-locks keep two members from clobbering one another mid-edit.
Reach it from anywhere — extension, CLI, SDK
The same encrypted vault, three surfaces:
- Browser extension — Manifest V3, Chromium and Firefox. Autofill, capture, your full vault one toolbar click away. The vault key never leaves the extension.
oc-vaultCLI —oc-vault read ocv://…,run,inject,export,item list/get. Zero-knowledge: the passphrase unwraps the key in memory and is never stored.@orangecheck/vault-coreSDK — the crypto, the entry model, theocv://resolver, and a transport-agnostic API client. Build your own integration on top.- GitHub Action — resolve
ocv://references into a CI job's environment, masked in logs.
Headless access uses an access token that authorizes transport only — it carries no key material, so a leaked token yields only ciphertext. The passphrase still does the decrypting, in-process.
Pricing
vault.ochk.io is paid in sats over Lightning — no fiat, no cards, no auto-renew, no lifetime SKU. Cloud sync is a running service (storage, bandwidth, a Lightning node), so you pay for the time you use it and stop paying when you stop. The free tier is forever.
| SKU | Price | For |
|---|---|---|
| Free | 0 sats | Local + portable export. Full feature parity minus the OC-hosted blob store. |
| Monthly | 7,000 sats / 30 days | "Try it" buyers |
| Annual | 70,000 sats / 365 days | Steady-state cloud sync (two months cheaper than monthly) |
| Family Circle | 200,000 sats / 365 days | Personal cloud sync + one shared team vault, up to 10 seats included |
| Extra team seat | 40,000 sats / 365 days · seat | Family Circle teams beyond the included 10 seats |
| Witnessed Recovery | 70,000 sats / 365 days · slot | Recovery without cloud sync — a quorum of trusted witnesses can rewrap your key |
The free tier is genuine: local storage and a portable export work with no payment. Paid tiers add the OC-hosted, ciphertext-only cloud blob store so encrypted entries sync across every device that signs in with the same Bitcoin identity. Family Circle also unlocks team vaults — see Teams.
Sub-pages in this section
- Quickstart — open a vault, add your first entry, turn on sync
- Teams — Family Circle team vaults, invite-fragment key sharing, roles, the 8-second collaborative liveness model
- Browser extension — autofill in Chromium / Firefox, your full vault one toolbar click away
- Developer platform — the
oc-vaultCLI,ocv://secret references, access tokens, the GitHub Action - Protocol — Flow 4, the entry envelope, double-encrypted sync, the export format
- Security — threat model, what is sealed, what is exposed, the recovery tradeoff
Where things live
- Product — vault.ochk.io
- Browser extension — see /vault/extension
- Protocol — OC Lock · the
.lockenvelope and BIP-322 binding - SDK —
@orangecheck/vault-core(the vault crypto + model + resolver),@orangecheck/vault-cli(theoc-vaultcommand), and lower-level@orangecheck/lock-cryptoprimitives - Auth — the family auth host at
ochk.io