“Your data is encrypted at rest” is one of the most common security claims a product makes, and one of the least specific. It answers a narrow question — what happens if someone gets a copy of the raw database or storage bucket — and says nothing about several other, more common ways vault contents actually get exposed.
What it does protect against
If Velora's database or object storage were ever accessed by someone without authorization — a misconfigured permission, a compromised backup, a subpoena to the wrong party — what they'd find is ciphertext produced by AES-256-GCM, keyed to a value derived from your master key through 600,000 rounds of PBKDF2-SHA-256. Without that master key, the ciphertext is not meaningfully recoverable with any hardware that exists today. This is the specific, real thing encryption at rest buys you: a stolen copy of the storage layer is not a stolen copy of your data.
What it doesn't protect against
- An unlocked device in someone else's hands — the vault is already decrypted in that session.
- Malware or a malicious browser extension running while the vault is unlocked, reading memory or the DOM directly.
- Phishing, keylogging, or clipboard monitoring that captures the master key as you type or paste it, before encryption ever happens.
- A weak, reused, or shared master key — encryption strength is irrelevant if the key guarding it is guessable.
- Content you deliberately copy or export after decrypting it locally.
None of this is a flaw specific to Velora Vault — it's true of every encrypted vault product, because it's a property of what encryption at rest actually is: protection for data in storage, not protection for data the moment it's in use on a compromised device. Any vendor whose marketing implies otherwise is describing a threat model that doesn't exist.
The practical takeaway is that encryption at rest and device hygiene are two separate layers, and skipping the second one because the first sounds strong is where most real-world vault compromises actually happen — not through a broken cipher.