Oct 7, 2025

Why even Folio can't see your documents

Your documents in Folio are protected by a secret only you know. Without your Passkey or Recovery Code, no one can access your data, not even us.

Here's a question worth asking about any app that stores your documents: can the company behind it see your files? For most cloud services, the honest answer is yes. They encrypt your data on their servers, but they hold the keys. If they wanted to look at your files, they could.

Folio works differently. We use end-to-end encryption, which means your documents are encrypted on your phone before they ever reach our servers. The key that unlocks them exists only on your devices and is protected by a secret that only you know: either a Passkey stored securely on your device, or a Recovery Code that you save when setting up the app.

Save Your Recovery Code screen in Folio app showing the importance of keeping recovery code safe for account access

Your secret is the key to everything

When you set up Folio, the app generates encryption keys on your device. These keys are what actually encrypt and decrypt your documents. But here's the important part: these keys are themselves protected by a secret that only you control.

Passkey is the modern, seamless option. It's a cryptographic credential stored in your device's secure enclave and protected by Face ID, Touch ID, or your device passcode. When you authenticate with your face or fingerprint, your device unlocks the Passkey, which then unlocks your encryption keys. The Passkey never leaves your device and can sync across your Apple or Google devices through their secure cloud keychains.

Recovery Code is a 24-word phrase generated when you create your account. Think of it as a master key written on paper. If you lose access to all your devices, this code is the only way to recover your documents. Without it, your data is mathematically unrecoverable.

Either way, the secret stays with you. Folio never sees it, never stores it, and has no way to recover it if you lose it.

What this means in practice

Because only your secret can unlock your encryption keys, several things become true:

We can't read your documents. Our servers store encrypted files that look like random data to us. Without your Passkey or Recovery Code, we have no way to decrypt them. A Folio employee with full database access would see only meaningless encrypted blobs.

Hackers can't read your documents. If someone broke into our servers, they'd get encrypted data. Without your secret, that data is useless. They'd need to break modern encryption, which would take longer than the age of the universe with current technology.

We can't hand over your documents. If authorities demanded your data, we could only provide encrypted files. We genuinely cannot decrypt them because we don't have your secret.

We can't reset your access. Most services let you reset a forgotten password because they control the encryption. We can't do that. If you lose your Passkey and Recovery Code, your documents are gone forever. This isn't a limitation; it's a feature that proves the encryption is real.

Why this matters for your documents

Your digital wallet contains some of your most sensitive information: passport scans, ID cards, medical records, financial documents. This data could enable identity theft if exposed. It could be used against you. It's exactly the kind of information you don't want sitting on some company's server where employees or hackers could access it.

End-to-end encryption changes the trust model. Instead of trusting Folio's security practices and hoping we never get breached, you only need to trust the mathematics of encryption and keep your secret safe. Even if we made a mistake, even if our servers were compromised, your documents would remain protected.

How to spot real end-to-end encryption

Many apps claim encryption but don't offer true end-to-end protection. Here's how to tell the difference:

Can they reset your password? If a service can restore access to your data after you forget your password, they hold your encryption keys. That means they can read your data. True end-to-end encryption means losing your secret means losing your data.

Do they mention a recovery key or phrase? Services with real E2EE typically require you to save a recovery key because they can't recover your data without it. If there's no recovery mechanism you control, be skeptical.

Can they show you previews? If a web version of the service shows document thumbnails or previews without you entering a secret, the data isn't truly end-to-end encrypted. The server needs to decrypt files to generate previews.

Your documents deserve better than security promises. They deserve mathematical guarantees. With end-to-end encryption, your secret is the only key that matters. Keep it safe, and your documents stay private, even from us.

Download Folio Wallet

Available free on iOS and Android