Pattern Encryption: How Drawing a Shape Protects Your Files

What Is Pattern Encryption?

Most vault apps hide behind a PIN or a password. You type in four digits, and your photos appear. Sounds secure enough, right?

Here is the problem: a four-digit PIN has exactly 10,000 possible combinations. A computer can try every single one in under a second. Six digits? A million combinations. Still trivially fast for modern hardware. Even an eight-character password, if it uses only lowercase letters, gives you about 200 billion possibilities. That sounds like a lot until you learn that a standard laptop can test billions of password hashes per second.

Pattern encryption takes a fundamentally different approach. Instead of typing characters into a box, you draw a geometric shape across a grid of dots. The specific path you trace — which dots you touch, in what order, with what geometry — becomes the raw material for generating an encryption key. Not an access code. Not a convenience unlock. An actual cryptographic key that mathematically scrambles your data.

The distinction matters. When you enter a PIN into most apps, the app checks whether you typed the right number. If you did, it opens. The data itself is often sitting on disk in a readable format, just hidden behind an access gate. Pattern encryption in Vaultaire works differently: the pattern you draw is fed into a key derivation function that produces a unique 256-bit encryption key. That key is what encrypts and decrypts your files. If someone draws a different pattern, they get a different key. The decryption produces garbage. There is no “wrong password” message — just meaningless noise.

How It Works, Step by Step

Here is what happens from the moment your finger touches the screen to the moment your files become unreadable to everyone else.

Step 1: You Draw Your Pattern

Vaultaire presents a 5×5 grid of dots. You draw a continuous path connecting at least 4 of these dots. The app records exactly which dots you visited and in what order. This sequence is your pattern.

Unlike the 3×3 grids you see on Android lock screens, Vaultaire uses a 5×5 grid. This is not a cosmetic choice. A 3×3 grid gives you 9 dots and roughly 140,000 possible patterns when you connect at least 4 dots. A 5×5 grid with 25 dots? The number of possible patterns jumps into the billions. More dots, more connections, exponentially more entropy.

Step 2: The Pattern Becomes a Key

Your drawn pattern is converted into a numerical sequence. This sequence is then fed into a key derivation function — specifically, PBKDF2 (Password-Based Key Derivation Function 2) combined with a unique, randomly generated salt. The salt is a string of random data that ensures two identical patterns on different vaults still produce completely different keys.

The key derivation process is deliberately slow. PBKDF2 runs thousands of iterations, making each guess computationally expensive. This is by design: you only draw your pattern once, so a fraction of a second is imperceptible to you. But an attacker trying millions of patterns will face hours, days, or years of computation per attempt.

Step 3: Your Files Get Encrypted

The derived 256-bit key is used with AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode) to encrypt every file in your vault. Each file receives its own unique initialization vector (IV), so even identical files produce completely different encrypted outputs.

GCM mode adds an important layer: authentication. It does not just scramble your data — it also generates a tag that detects any tampering. If a single bit of the encrypted file is modified, the decryption will fail. Nobody can tamper with your files without you knowing.

Step 4: The Key Disappears

Once you close Vaultaire, the encryption key is wiped from device memory. It is not stored on disk, not cached, not saved anywhere. The next time you open the app, you must redraw your pattern to regenerate the key. If you draw the right pattern, the key derivation produces the same key, and your files decrypt perfectly. If you draw any other pattern, the math produces a different key, and the decryption outputs noise.

The Math Behind It (In Plain English)

You do not need a computer science degree to understand why this works. The security comes down to three numbers: how many patterns are possible, how long each guess takes, and how many guesses an attacker can make.

Entropy: The Measure of Unpredictability

Entropy is a fancy word for “how hard is this to guess.” A coin flip has 1 bit of entropy (two outcomes). A four-digit PIN has about 13 bits of entropy (10,000 outcomes). A well-chosen pattern on a 5×5 grid, connecting 8 or more dots, can exceed 30 bits of entropy — more than a billion possible patterns.

But the real security does not come from the pattern alone. It comes from what happens after you draw it.

Key Derivation: Making Guesses Expensive

PBKDF2 takes your pattern and runs it through thousands of rounds of cryptographic hashing. Each round takes a tiny amount of time — maybe a thousandth of a second. That adds up. If an attacker wants to test a billion patterns, and each test takes a thousandth of a second, that is a million seconds. About 11.5 days. For a single vault.

And that assumes they know the salt, which is unique to each vault and stored in a way that requires physical access to your device. Remote attacks are off the table entirely.

AES-256: The Standard That Governments Trust

AES-256 is the encryption standard used by the U.S. government for classified information. The “256” refers to the key length in bits. A 256-bit key has 2²⁵⁶ possible values — a number so large that if every atom in the observable universe were a computer, and each computer could test a trillion keys per second, they still would not crack it before the heat death of the universe.

This is not marketing language. This is mathematics. The security of AES-256 does not depend on secrecy or obscurity. The algorithm is public. The code is public. The security depends entirely on the key — and your pattern generates that key.

Why Nobody Can Break Through

Let us consider the ways someone might try to access your encrypted files, and why each one fails.

Brute Force: Trying Every Pattern

Even with a fast computer, the key derivation function makes each attempt expensive. A billion possible patterns multiplied by a millisecond per attempt equals years of computation. And that is using hardware that most people do not have access to.

Smudge Attacks: Reading Your Screen

On a 3×3 grid, smudge marks on a screen can narrow down the possible patterns significantly. On a 5×5 grid, the smudge pattern reveals which dots were touched but not the order, direction, or connections between them. The combinatorial explosion makes this approach impractical.

Shoulder Surfing: Watching You Draw

Patterns drawn quickly on a small phone screen are extremely difficult to memorize by observation, especially on a 5×5 grid. Research shows that observers have a much harder time replicating complex patterns compared to overhearing a PIN or password being spoken aloud.

Device Seizure: Taking Your Phone

If someone takes your phone, they have an encrypted blob. Without your pattern, the data is mathematically indistinguishable from random noise. Vaultaire does not store the key, does not store a hash of the pattern, and does not store anything that could be used to verify whether a guess is correct. The attacker has no oracle to check against.

Choosing a Strong Pattern

The encryption is only as strong as the pattern you choose. Here is how to maximize your security with minimal effort.

What Makes a Pattern Strong

• Use more dots. Connect at least 8 of the 25 available dots. Every additional dot multiplies the number of possible patterns.
• Cross your own path. Patterns that loop back, skip dots, or change direction unexpectedly are much harder to reproduce from memory or observation.
• Avoid obvious shapes. Letters (L, Z, S), simple geometric shapes (squares, triangles), and straight lines are the first things an attacker would try.
• Use the full grid. Patterns that stay in one corner or along one edge waste the available entropy. Spread out.

What to Avoid

• Short patterns. Connecting only 4 dots gives you far fewer possible combinations. Think of it like a two-character password.
• Simple geometric shapes. An L-shape, a zigzag, or a straight diagonal line are the pattern equivalents of “password123.”
• Starting from the same corner every time. Research on Android lock patterns shows that most people start from the top-left dot. Attackers know this.

The Sweet Spot

A pattern connecting 8–12 dots with at least two direction changes provides excellent security while remaining easy for you to remember through muscle memory. You do not need to memorize it like a password — your hand remembers the motion, the same way it remembers how to write your signature.

Why You Should Feel Safe

Pattern encryption in Vaultaire is not a gimmick. It is not a prettier version of a PIN pad. It is a genuine cryptographic mechanism that turns a human-friendly gesture into military-grade encryption.

Your pattern never leaves your device. The key derived from it never touches a server. The encrypted files cannot be decrypted without the exact key, and the key cannot be derived without the exact pattern. Every link in this chain is mathematically verifiable, and none of it depends on trusting a company, a server, or a cloud provider.

You draw a shape. That shape protects your files. The math does the rest.