Encrypted photos and document scans
Capture into app-private storage and encrypt the result before it enters the protected library.
SP-VAULT · SELF-HOSTED
SecurePhone Vault is a separate first-party app for encrypted photos, video, audio, document scans, and imported files. Content and its library index stay encrypted on the device under an Android Keystore key.
co.securephone.vaultRequired managed application
assignedphoto-videoPrivate capture workflow
allowedaudioEncrypted voice recordings
alloweddocumentsScans and file imports
allowedVault minimizes the time plaintext exists, avoids shared media storage, and gives administrators explicit control over which capture paths are available. It complements device policy rather than replacing endpoint security.
Capture into app-private storage and encrypt the result before it enters the protected library.
Store video as authenticated ciphertext instead of leaving an ordinary gallery item behind.
Record voice notes locally, encrypt them immediately, and preview them only inside the Vault.
Copy a selected document directly into the encrypted library without granting a cloud service access.
Screenshots and recents are blocked. Temporary previews stay in no-backup app storage and are wiped when the preview closes or the app backgrounds.
Enable or disable Vault, photo, video, audio, scanning, and import paths through Android managed configuration.
Vault has its own package identity and release artifact. The appliance catalog, policy, launcher layout, signing identity, and managed-device wipe plan are prepared together.
Assign co.securephone.vault as a required app for the intended users or devices.
Permit only the photo, video, audio, scan, and import workflows the deployment needs.
Make Vault the intentional protected-media entry point on the managed home screen.
Confirm application-data and whole-device wipe behavior before phones enter the field.
The SecurePhone sandbox build is available for appliance and device testing. Production distribution remains blocked until the APK is release-signed with the SecurePhone identity and independently reviewed.
Review security architectureVault uses co.securephone.vault; it is not the crypto wallet and is not hidden inside Global Chat.
Private release keys never enter the source repository or customer appliance.
The app has no Internet permission and no SecurePhone, OMEMO, Google, or third-party storage dependency.
An unlocked or compromised device can expose an active preview; screen lock, MDM, and incident response remain essential.
Validate capture, import, managed policy, launcher placement, previews, deletion, and wipe before the production signing gate is opened.
Configure yours