Skip to content
AppVault

FILE 07 / EXCLUDED FROM ICLOUD BACKUP

The vault is not in iCloud Backup. By design.

AppVault deliberately keeps the vault out of every backup iOS knows about. The directory is excluded with NSURLIsExcludedFromBackupKey; the master keys live in the iOS Keychain with ThisDeviceOnly access. Survival across device loss is handled by a BIP-39 12-word recovery phrase that never leaves your hands.

UPDATED · 2026-05-20 · REVIEWED BY APPVAULT

The boring iOS attribute that does the work

iOS exposes a per-file attribute called NSURLIsExcludedFromBackupKey. When that key is set to YES on a directory, iOS quietly drops the directory from every system backup — iCloud Backup, iTunes Backup, Finder Backup. The user does not see the exclusion in their backup settings, the data just is not included.

AppVault sets this flag on the vault directory the moment the directory is created. It is one line of code (setResourceValues({ URLResourceKey.isExcludedFromBackupKey: true })) and it is one of the first things the app does. The vault never spends an instant being backup-eligible.

Why this matters, in plain terms

A backup that contains vault ciphertext is a backup that can be restored. A restored backup is a copy of your files on a different device. A different device can be:

AppVault closes all three by never being in the backup in the first place. The vault is not on the second device; it is not in any subpoena; it is not in any leaked iCloud archive. The threat model is reduced from "trust the chain of custody of Apple’s backup infrastructure" to "trust the device in my hand right now".

The Keychain belt-and-suspenders

Even if the directory exclusion were somehow bypassed, the ciphertext would be unreadable on a second device. The master keys (the small handful of secrets that unwrap the per-file AES-256-GCM keys) live in the iOS Keychain, pinned to kSecAttrAccessibleWhenUnlockedThisDeviceOnly. That access flag is iOS’s strongest "do not migrate this" signal. It explicitly forbids:

A vault that traveled in ciphertext form would still be useless without these keys, and these keys are pinned to a single device by Apple’s own platform security model.

Surviving device loss: the recovery phrase

The cost of this design is that a brand-new iPhone, signed into the same Apple ID, does not recover your old vault. To survive that scenario, AppVault generates a BIP-39 12-word recovery phrase during onboarding, the same kind of phrase that cryptocurrency wallets use. The phrase is shown once. Write it down on paper, store it offline, and never type it into a cloud-synced note. On a new device, choose "I have a recovery phrase" during setup, draw a new pattern, and enter the phrase — the vault is reconstituted from the phrase plus the new pattern.

You can regenerate the recovery phrase later in Settings → Regenerate Recovery Phrase. The old phrase is invalidated; the new phrase is the only valid one from that point forward. If you lose both the device and the phrase, the vault is unrecoverable. That is by design.

What is not happening, contrary to common assumption

QUESTIONS WE HEAR

About backup, recovery, and device loss.

  1. 01 Does AppVault back up the vault to iCloud?
    No. AppVault deliberately marks the vault directory with the iOS attribute NSURLIsExcludedFromBackupKey, which tells iOS to skip the vault when iCloud Backup, iTunes, or Finder take a backup of the device. Vault contents stay on the device that encrypted them. We never wrote a cloud-upload feature, and we are not planning to.
  2. 02 Why exclude the vault from iCloud Backup?
    Three reasons. First, an iCloud Backup that contained vault ciphertext could be subpoenaed or restored to a different device; either path widens the attack surface the vault is supposed to close. Second, the master keys are stored in the iOS Keychain with the access flag kSecAttrAccessibleWhenUnlockedThisDeviceOnly, which means they are not eligible to sync to iCloud Keychain — so even if the ciphertext were backed up, no other device could decrypt it. Third, vault contents are typically the user's most sensitive material; the safest place for that material is the device the user is holding.
  3. 03 What if I lose my iPhone?
    A new iPhone with no AppVault data does not recover the old vault. That is the trade-off. To survive device loss, write down the BIP-39 12-word recovery phrase that AppVault generates during onboarding (or regenerate it later in Settings → Regenerate Recovery Phrase). On the new device, install AppVault, choose "I have a recovery phrase", and re-enter it. The recovery phrase, plus a pattern you can remember, is the only path back into the vault.
  4. 04 Are the master keys synced to iCloud Keychain?
    No. AppVault explicitly sets the Keychain access flag to ThisDeviceOnly. That flag tells iOS the keys cannot be backed up, cannot be migrated to a different Apple device, and cannot be restored from any backup. The keys live and die with the device that created them.
  5. 05 What about iTunes / Finder backups on a Mac?
    NSURLIsExcludedFromBackupKey covers iTunes and Finder backups as well as iCloud Backup. The vault directory is excluded from all three. If you back up your iPhone to a Mac, the vault is not in the backup.
  6. 06 Will encrypted cloud backup come in a future version?
    It is not on the near-term roadmap. We would only ship it as truly client-side encrypted — keys never leave the device, and the cloud sees only opaque ciphertext — and that requires a key-wrap design we are not in a hurry to get wrong. For now, the recovery phrase is the survival mechanism.

GET STARTED

Seal the vault.

Free to download. The free tier holds one file. Premium removes the limit — Weekly from $3.99 or Yearly from $29.99 with a 7-day free trial.