M
Migra-PC
Zero-knowledge architecture

No one can read
your data. Not even us.

Encryption happens on your PC with a key only you own. Our servers only store unreadable data. Everything is verifiable.

The principle

Three uncompromising principles.

01

Local

All encryption happens on your PC. The key is derived from your password with Argon2id, never transmitted.

02

Encrypted

Each file is individually encrypted with AES-256-GCM before any transfer. Even we see only noise.

03

No one

No one, not even MFT Andorra LLC, holds a copy of your key. You’re the only one who can decrypt.

Technical

How it really works.

No marketing dodge. Here’s exactly how your data travels.

1

You enter your password

On your PC, in the Migra-PC app. It never leaves your machine.

Password entered in the app
2

Argon2id derives a master key

Argon2id is the password-hashing competition (PHC) winner. It transforms your password into a 256-bit key using significant RAM and CPU, making brute-force attacks economically unrealistic.

Argon2id(password, salt) -> master_key
3

A random File Encryption Key (FEK) is generated

A random 256-bit key is generated to encrypt your files. This key is itself encrypted with your master key, then stored on the server. Without your password, impossible to decrypt.

FEK = random(256), wrapped_FEK = AES(FEK, master_key)
4

Your files are encrypted with AES-256-GCM

AES-256-GCM is the military standard for encryption. GCM adds tamper protection: if a single byte of the file is altered, decryption fails. Encryption happens entirely on your PC.

encrypted_file = AES-256-GCM(file, FEK, nonce)
5

Only noise leaves for our servers

Encrypted files are stored on Cloudflare R2. Without your key, they look like random bytes. No password, no plaintext key, no original file ever crosses the network.

POST /upload (encrypted_file) -> Cloudflare R2
6

A 12-word phrase is given to you

This is your safety net. If you forget your password, this BIP39 phrase lets you decrypt the FEK. It’s generated randomly on your PC and we never see it.

BIP39_phrase = 128 bits entropy + checksum

Total transparency

What we see. What we don’t.

What we see

  • Your email address
  • The existence of your account
  • Technical metadata (encrypted file size, date)
  • Your subscription status
  • Billing history

What we DON’T see

  • Your password (never transmitted)
  • Your BIP39 recovery phrase
  • The content of your files
  • Your file names (encrypted too)
  • Your browser passwords

Real-world scenarios

What happens if...

What if I forget my password?
You can reset it using your 12-word recovery phrase. The app will decrypt your File Encryption Key (FEK) with the phrase, then re-encrypt it with your new password. No intervention from us is possible nor necessary.
What if I lose both my BIP39 phrase AND my password?
Your data is permanently lost. That’s the flip side of zero-knowledge: even we can’t help you. That’s why we strongly emphasize keeping the phrase in a safe place (paper in a vault, external password manager).
What if MFT Andorra LLC shuts down tomorrow?
Your data stays encrypted with your key. No third party can read it without you. We’ll give you 90 days’ notice and an export tool to either retrieve your encrypted data or decrypt it locally.
What if our servers are hacked?
Attackers would only recover encrypted files and metadata. Without your key (which is never on our servers), these files are mathematically unreadable. That doesn’t mean an intrusion wouldn’t be serious (service disruption), but the content of your backups stays private.
What if a government requests your data?
We’d provide what we have: an email account, technical metadata, encrypted files. All unusable without your key. This protection against surveillance isn’t a side effect, it’s an architectural decision.

Standards used

Standard. Nothing exotic.

We use the algorithms recommended by the cryptographic community, already proven in thousands of products.

AES-256-GCMNIST FIPS 197 + GCM

File encryption

Argon2idRFC 9106, PHC winner 2015

Key derivation from password

BIP39Bitcoin standard for mnemonics

12-word recovery phrase

PBKDF2 (fallback)RFC 8018

Migration from old versions

HKDFRFC 5869

Secondary key derivation

TLS 1.3RFC 8446

Transport between app and servers

The best security is the kind you don’t have to prove.

Mathematically, we cannot read your data. Even if we wanted to. That’s what matters.

Start my free trial