Your Data Belongs on Your Hard Drive: Understanding AES-256-GCM
Every SaaS product tells you your data is "encrypted." But there's a massive difference between server-side encryption (where the cloud provider holds the keys) and local-first encryption (where only you control access to your data).
LockMargin was built from the ground up on the principle that your financial data should never leave your machine. Here's exactly how that works at the cryptographic level.
The Encryption Stack
LockMargin uses a three-layer security architecture:
Layer 1: Key Derivation
PBKDF2-HMAC-SHA256 with 100,000 iterations. Your master password is stretched into a 256-bit encryption key. The iteration count makes brute-force attacks computationally infeasible — even with dedicated hardware.
Layer 2: Data Encryption
AES-256-GCM — Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode. This is the same standard used by governments and financial institutions worldwide. GCM mode provides both confidentiality and authenticated integrity verification (you'll know if data has been tampered with).
Layer 3: Key Storage
Encryption keys are stored in your system keyring (Windows Credential Manager, macOS Keychain, or Linux Secret Service). They are never written to the application database or sent over the network.
Why This Matters: Cloud vs. Local Encryption
Most cloud invoicing tools advertise "AES-256 encryption." But here's what they don't tell you:
| Feature | Cloud SaaS | LockMargin |
|---|---|---|
| Who holds the encryption keys? | The cloud provider | Your OS keychain |
| Can the provider read your data? | Yes (server-side decryption) | No (impossible) |
| Data stored on | Third-party servers | Your local drive |
| Data mining / ad targeting | Common (anonymized or not) | Impossible by design |
| Works without internet | ❌ No | ✓ Yes |
"We Can't Even See Your Data"
This isn't a marketing slogan — it's a cryptographic guarantee. Because LockMargin stores your data locally and encrypts it with keys that never leave your keychain, there is literally no way for us — or anyone else — to access your financial information.
Compare this to cloud-based invoicing tools:
- Server-side encryption: The cloud provider encrypts your data on their server, but they hold the decryption keys. They can — and sometimes do — mine data for product analytics, market research, or advertising.
- End-to-end encryption (E2EE): Rare in invoicing tools. Most SaaS products don't offer it because it prevents them from running server-side features like automated reminders.
- Local-first encryption: LockMargin's approach. Your data is encrypted before it ever touches a database — and that database is on your machine.
What This Means for Your Freelance Business
Your invoices contain sensitive information: client names, rates, payment terms, bank details, and project descriptions. In the wrong hands, this data could be used for:
- 🔒🔍 Competitive analysis against your rates
- 🔴 Targeted phishing attacks on your clients
- “Љ Aggregated industry profiling
With LockMargin's local-first architecture, none of this is possible. Your data stays encrypted on your hard drive, protected by your OS keychain, accessible only to you.
The Bottom Line
Encryption isn't just about technology — it's about trust. Cloud providers ask you to trust that they'll protect your data. LockMargin removes the need for trust entirely by ensuring your data never leaves your possession.
AES-256-GCM. PBKDF2 with 100,000 iterations. System keychain storage. No cloud. No data mining. No subscription.
That's not just privacy. That's ownership.
Your data belongs on your hard drive.
Download LockMargin free. Military-grade encryption, zero cloud dependency.
Download LockMargin Free