FILE 07 / EXCLUDED FROM ICLOUD BACKUP
The vault is not in iCloud Backup. By design.
AppVault deliberately keeps the vault out of every backup iOS knows about. The directory is excluded with NSURLIsExcludedFromBackupKey; the master keys live in the iOS Keychain with ThisDeviceOnly access. Survival across device loss is handled by a BIP-39 12-word recovery phrase that never leaves your hands.
UPDATED · 2026-05-20 · REVIEWED BY APPVAULT
The boring iOS attribute that does the work
iOS exposes a per-file attribute called NSURLIsExcludedFromBackupKey. When that key is set to YES on a directory, iOS quietly drops the directory from every system backup — iCloud Backup, iTunes Backup, Finder Backup. The user does not see the exclusion in their backup settings, the data just is not included.
AppVault sets this flag on the vault directory the moment the directory is created. It is one line of code (setResourceValues({ URLResourceKey.isExcludedFromBackupKey: true })) and it is one of the first things the app does. The vault never spends an instant being backup-eligible.
Why this matters, in plain terms
A backup that contains vault ciphertext is a backup that can be restored. A restored backup is a copy of your files on a different device. A different device can be:
- A device an investigator subpoenas through Apple.
- A device a thief, partner, or family member sets up with your Apple ID and password.
- A device that ends up in a refurb pipeline still attached to your iCloud, because someone forgot to sign out.
AppVault closes all three by never being in the backup in the first place. The vault is not on the second device; it is not in any subpoena; it is not in any leaked iCloud archive. The threat model is reduced from "trust the chain of custody of Apple’s backup infrastructure" to "trust the device in my hand right now".
The Keychain belt-and-suspenders
Even if the directory exclusion were somehow bypassed, the ciphertext would be unreadable on a second device. The master keys (the small handful of secrets that unwrap the per-file AES-256-GCM keys) live in the iOS Keychain, pinned to kSecAttrAccessibleWhenUnlockedThisDeviceOnly. That access flag is iOS’s strongest "do not migrate this" signal. It explicitly forbids:
- Sync to iCloud Keychain.
- Restore from any encrypted iPhone backup onto a different device.
- Inclusion in any iTunes / Finder backup.
A vault that traveled in ciphertext form would still be useless without these keys, and these keys are pinned to a single device by Apple’s own platform security model.
Surviving device loss: the recovery phrase
The cost of this design is that a brand-new iPhone, signed into the same Apple ID, does not recover your old vault. To survive that scenario, AppVault generates a BIP-39 12-word recovery phrase during onboarding, the same kind of phrase that cryptocurrency wallets use. The phrase is shown once. Write it down on paper, store it offline, and never type it into a cloud-synced note. On a new device, choose "I have a recovery phrase" during setup, draw a new pattern, and enter the phrase — the vault is reconstituted from the phrase plus the new pattern.
You can regenerate the recovery phrase later in Settings → Regenerate Recovery Phrase. The old phrase is invalidated; the new phrase is the only valid one from that point forward. If you lose both the device and the phrase, the vault is unrecoverable. That is by design.
What is not happening, contrary to common assumption
- The vault is not uploading to AppVault servers. There is no AppVault server. We operate no backend that holds user content.
- The vault is not uploading to your iCloud as ciphertext blobs. Some competitors do this and call it "encrypted iCloud backup". AppVault does not. The exclusion flag prevents it.
- The vault is not shared across your Apple devices automatically. Each iPhone or iPad you install AppVault on starts as a fresh, empty vault. The recovery phrase plus a pattern is how you opt in to cross-device parity, manually, when you choose to.
QUESTIONS WE HEAR
About backup, recovery, and device loss.
-
01 Does AppVault back up the vault to iCloud?
No. AppVault deliberately marks the vault directory with the iOS attribute NSURLIsExcludedFromBackupKey, which tells iOS to skip the vault when iCloud Backup, iTunes, or Finder take a backup of the device. Vault contents stay on the device that encrypted them. We never wrote a cloud-upload feature, and we are not planning to. -
02 Why exclude the vault from iCloud Backup?
Three reasons. First, an iCloud Backup that contained vault ciphertext could be subpoenaed or restored to a different device; either path widens the attack surface the vault is supposed to close. Second, the master keys are stored in the iOS Keychain with the access flag kSecAttrAccessibleWhenUnlockedThisDeviceOnly, which means they are not eligible to sync to iCloud Keychain — so even if the ciphertext were backed up, no other device could decrypt it. Third, vault contents are typically the user's most sensitive material; the safest place for that material is the device the user is holding. -
03 What if I lose my iPhone?
A new iPhone with no AppVault data does not recover the old vault. That is the trade-off. To survive device loss, write down the BIP-39 12-word recovery phrase that AppVault generates during onboarding (or regenerate it later in Settings → Regenerate Recovery Phrase). On the new device, install AppVault, choose "I have a recovery phrase", and re-enter it. The recovery phrase, plus a pattern you can remember, is the only path back into the vault. -
04 Are the master keys synced to iCloud Keychain?
No. AppVault explicitly sets the Keychain access flag to ThisDeviceOnly. That flag tells iOS the keys cannot be backed up, cannot be migrated to a different Apple device, and cannot be restored from any backup. The keys live and die with the device that created them. -
05 What about iTunes / Finder backups on a Mac?
NSURLIsExcludedFromBackupKey covers iTunes and Finder backups as well as iCloud Backup. The vault directory is excluded from all three. If you back up your iPhone to a Mac, the vault is not in the backup. -
06 Will encrypted cloud backup come in a future version?
It is not on the near-term roadmap. We would only ship it as truly client-side encrypted — keys never leave the device, and the cloud sees only opaque ciphertext — and that requires a key-wrap design we are not in a hurry to get wrong. For now, the recovery phrase is the survival mechanism.
RELATED DOSSIERS
Keep reading.
6 ENTRIES
- LINK / 01 · CORE
Photo & File Vault
The container that gets excluded from backup.
- LINK / 02 · CRYPTOGRAPHY
AES-256-GCM encryption stack
How the vault is sealed before the question of backup even arises.
- LINK / 03 · TRUST
No-account architecture
Why we run no server that could hold a backup.
- LINK / 04 · KEY
Pattern Lock
The key that derives from your pattern.
- LINK / 05 · TRUST
Threat model
What backup exclusion does and does not defend against.
- LINK / 06 · LEGAL
Privacy policy
The full inventory of what AppVault stores and what leaves the device.
GET STARTED
Seal the vault.
Free to download. The free tier holds one file. Premium removes the limit — Weekly from $3.99 or Yearly from $29.99 with a 7-day free trial.