your bitcoin wallet
is your master password.
OC Vault is an encrypted-secrets vault you unlock with the wallet you already have. No OC account. No master password to forget. Every entry is a portable .lock envelope you can take with you, decrypt locally, forever — even if vault.ochk.io disappears tomorrow.
{
"v": 2,
"kind": "lock-envelope",
"id": "1b6f9c3e…a042",
"flow": "self-vault",
"entry": {
"kind": "totp-seed",
"label": "github · recovery",
"ct": "U2FsdGVkX19xKa…",
"alg": "chacha20-poly1305"
},
"recipient": {
"address": "bc1qalice…",
"device": "alice-laptop-2026",
"epk": "x25519:Aoq2…"
},
"sealed_at": "2026-05-12T14:02:00Z",
"sig": { "alg": "bip322", "value": "…" }
}four steps. one wallet. zero accounts.
OC Vault uses Flow 4 of the open OC Lock protocol — the "self-vault" pattern. You're the sender, the recipient, and the verifier. OC is only a ciphertext relay. The cryptographic contract is the product contract.
- [01]
connect
Open vault.ochk.io and sign one BIP-322 message with your Bitcoin wallet. Your wallet derives a device key locally. OC never sees the wallet, the seed, or the device key.
- [02]
add a secret
Password, seed phrase, TOTP seed, API key, secure note, or small file. The browser seals it client-side as a portable .lock envelope. Plaintext never leaves your tab.
- [03]
sync or export
Free: store locally in IndexedDB, or point at your own Nostr relay / HTTP blob URL. Paid: one-time 210k sats for vault.ochk.io cloud sync — for one Bitcoin identity, forever.
- [04]
unlock anywhere
Any browser, any device. Re-sign the BIP-322 challenge with the same wallet, your device key unwraps the envelope. Lose the cloud? @orangecheck/lock-core from npm decrypts your exports forever.
every other vault asks you to
trust their company to hold
the master key.
OC Vault binds the unlock to your Bitcoin wallet via BIP-322. There is no account database to breach. There is no master-password KDF to brute-force. There is no proprietary export format to escape from. The cryptographic contract — "only the holder of the wallet can decrypt" — is the product contract.
| system | account | master password | recovery | export format | payment |
|---|---|---|---|---|---|
| 1Password | required | yes (KDF-protected) | recovery kit + secret key | proprietary 1pux | card · subscription |
| Bitwarden | required | yes (KDF-protected) | emergency contact | json (cleartext) | card · subscription |
| Apple iCloud Keychain | apple id required | device passcode | apple-mediated | none (locked-in) | bundled w/ icloud |
| self-hosted KeePassXC | none | yes (file passphrase) | you keep the file | kdbx (open) | free · self-managed |
| oc vault | none (wallet is identity) | none (BIP-322 sign-on) | your wallet | .lock envelope (open) | sats · lightning · one-time |
Your wallet derives your device key locally. OC never sees the wallet, has no recovery backdoor, cannot leak what it does not hold.
OC holds ciphertext only. No "master password KDF stops us" story — there is no master password. The math is the policy.
Every entry is a portable .lock envelope. Export anytime. If vault.ochk.io disappears, @orangecheck/lock-core from npm decrypts your backups forever.
Read the underlying protocol design at oc-lock-protocol/WHY.md — OC Vault is the consumer-facing productization of Flow 4 (self-vault) from that spec.
one open protocol. three open packages.
OC Vault is the commercial product. The protocol it implements and the SDK it depends on are MIT-licensed and reusable. Re-implement the SPEC in any language — the test vectors are the ground truth. The web client is a convenience over the SDK, never the authoritative implementation.
- oc-lock-protocol ↗normative spec for the .lock envelope · Flow 4 (self-vault)
- @orangecheck/lock-core ↗seal(), unseal(), canonical envelope, BIP-322 binding
- @orangecheck/lock-crypto ↗x25519 ECDH + chacha20-poly1305 AEAD primitives
- @orangecheck/lock-device ↗wallet-derived device key, device record management
- lock.ochk.io ↗reference web client for the broader OC Lock protocol (Flows 1-3)
bitcoin-bound.
ciphertext-only.
yours by construction.
Free forever locally. 210,000 sats one-time for vault.ochk.io cloud sync, per Bitcoin identity. Paid in sats over Lightning. No fiat, no card, no subscription, no account.