iOS Keychain
The actual password, PIN or combination is held in the iOS Keychain — Apple’s hardware-backed store for sensitive values — under its own random identifier.
9F2C-7A11-…-B4E0Security, in plain terms
KeyRote only works if you can trust it with the things you’re trying to memorize. So the design is simple: keep everything on your device, keep the pieces apart, and make nothing about it possible to verify on faith alone — you can check it yourself.
Kept apart by design
A secret and the label you gave it never live in the same place. Even with full access to your device’s files, the two halves don’t add up to anything without the app to rejoin them.
The actual password, PIN or combination is held in the iOS Keychain — Apple’s hardware-backed store for sensitive values — under its own random identifier.
9F2C-7A11-…-B4E0The name, dates and progress — “Bank card PIN”, last reviewed, mastery — sit in a completely separate on-device database, under a different random identifier.
1D8B-04FA-…-66C3Each record carries its own independent UUID. Nothing in the metadata points at the Keychain entry and nothing in the Keychain points back — only KeyRote, running on your unlocked device, knows how to pair them.
Your choice, per secret
KeyRote can read the secret back, so it can power hints, input checks and a full reveal. Best for secrets you actively want help recalling.
The secret is stored only as a one-way hash. KeyRote can check whether your answer matches, but can never show the value — nobody can, not even us.
You set this per secret. Want hints for a tricky password? Choose recoverable. Storing something you’d rather no software could ever surface? Choose one-way — then even a full reveal is impossible, by construction.
Locked to you
Getting to your secrets goes through your phone’s own device authentication — your biometrics, or your device passcode. KeyRote doesn’t invent its own account or sign-in; it leans on the lock you already trust, the one Apple built into the hardware.
Verify it yourself
KeyRote makes no network connections. Your secrets are never sent anywhere because there is nowhere for them to go. You can confirm this directly from iOS, no trust required:
The App Privacy Report is Apple’s own log of what every app touches. It’s the same tool you’d use to audit anything else on your phone — pointed at KeyRote, it stays empty.