Panic Wipe
Also known as: panic mode, emergency wipe, cryptographic self-destruct, kill switch, crypto-shredding
A panic wipe is an emergency function that cryptographically destroys a device's secrets so a seized or stolen device yields nothing. Rather than slowly overwriting gigabytes, it deletes the small encryption keys that unlock everything; the remaining encrypted data becomes permanent noise. RVNT's version also wipes the database, media cache, and hardware-backed keys, and is irreversible by design.
A panic wipe is the nuclear option in a security app: one action that renders all sensitive data permanently unrecoverable. The core trick is crypto-shredding — destroying the key instead of the data. Your messages live in an AES-256-GCM or SQLCipher database that is meaningless without its key, so deleting that 32-byte key instantly turns gigabytes of ciphertext into random noise. This is the same principle NIST SP 800-88 recognizes as cryptographic erase, a sanitization method fast enough to complete in seconds rather than the hours a full overwrite would take.
The reason key destruction matters more than file overwriting is modern storage. Solid-state drives use wear leveling and remap blocks, so an "overwrite" may not touch the original flash cells at all. Forensic labs can sometimes desolder NAND chips and recover fragments. But if the only copy of the decryption key is gone — especially if it lived in a hardware Secure Enclave that physically erases it — those recovered fragments are useless ciphertext with no path to plaintext.
A panic wipe is distinct from simply logging out or deleting an account. It is meant to be triggered under duress — a border stop, a device seizure, a raid — and it makes no attempt to be recoverable. That irreversibility is the point: there is nothing left for an adversary to compel you to decrypt.
How it works
RVNT's destruction sequence runs in stages, ordered so the most critical step happens first. Stage 1 invalidates the hardware-backed keys in the Apple Secure Enclave (or Android StrongBox/TEE) — SecKeyDelete on the identity, storage, and biometric keys — which is irreversible at the silicon level. Even if power is cut immediately after, the database is already unreadable.
Stage 2 opens the SQLCipher database, runs PRAGMA secure_delete, drops the message, contact, session, and prekey tables, VACUUMs, then three-pass overwrites and deletes the file. Stage 3 applies a DoD 5220.22-M style overwrite (0x00, 0xFF, random, with read-back verification) to any loose key material. Stage 4 clears every keychain/credential-store entry. Stage 5 shreds the media and thumbnail caches. Stage 6 resets the app to a first-launch screen, or — in duress mode — loads a plausible decoy vault so an observer sees a normal, empty-looking app.
How RVNT uses Panic Wipe
RVNT triggers a panic wipe via a duress PIN, a hardware button sequence, a signed remote wipe command, an optional failed-attempt threshold, or a dead-man's-switch timer. The sequence destroys Secure Enclave keys first, then the SQLCipher database, loose key files, keychain entries, and the media cache — full stages and SSD caveats are documented in Panic Mode.
Frequently asked questions
What is the difference between a panic wipe and a duress PIN?
A duress PIN is one of the triggers; the panic wipe is the action it sets off. Entering the duress PIN at the lock screen silently runs the wipe while the app appears to unlock normally, optionally showing a decoy vault. The panic wipe itself is the underlying multi-stage destruction of keys, database, and media.
Can data be recovered after a panic wipe?
No, in practical terms. RVNT destroys the encryption keys (hardware-level on the Secure Enclave), and AES-256 ciphertext without its key is indistinguishable from random noise. Even if storage fragments survive on an SSD, there is no key to decrypt them.
Does a panic wipe delete the RVNT app itself?
No. It destroys data — keys, messages, contacts, media — but leaves the application binary installed and resets it to a clean first-launch state. The username-to-public-key mapping on the identity server also survives, though the matching private key is gone, so the identity can no longer be used.
Every definition here describes something RVNT actually ships — a post-quantum, end-to-end-encrypted, peer-to-peer messenger with no phone number and no servers.