Is DigiLocker Safe? Complete 2026 Guide + Upload Steps

Educational content about a government digital service. Not legal or security advice. If you suspect your DigiLocker account has been compromised, contact DigiLocker support (support@digilocker.gov.in) immediately and follow UIDAI's mobile-number-change process.

Quick answer: Yes, DigiLocker is safe for storing and sharing personal documents. It uses 256-bit SSL encryption, Aadhaar OTP plus a user-set PIN for authentication, and is legally equivalent to physical documents under Rule 9A of the IT Rules 2016 (notified 8 February 2017). As of March 2026 it has 67.63 crore users and has issued over 950 crore documents without a major post-2020 incident. The main ongoing risk is SIM swap attacks on your registered mobile number - protect that number and you are covered for most threats.

This guide gives a balanced security assessment (including the 2020 vulnerability disclosures, all since patched), explains how to create and use your DigiLocker account, walks through the most common reasons fetches fail and how to fix them, compares DigiLocker against mAadhaar and UMANG, and covers the April 2026 RBI Authentication Mechanisms Directions, which reference DigiLocker as one platform that issuers may explore for notification and confirmation of high-risk transactions. We are not affiliated with DigiLocker, MeitY, UIDAI, RBI, or any government body.

What is DigiLocker?

DigiLocker is a cloud-based document wallet operated by the Ministry of Electronics and Information Technology (MeitY), Government of India, as part of the Digital India initiative. It launched publicly on 1 July 2015 and lets you store, fetch, and share government-issued documents digitally.

2026 scale: 67.63 crore users (~676 million) as of March 2026, with over 950 crore documents issued or uploaded. Growth has accelerated sharply, from 51.52 crore users in March 2025 to 67.63 crore in March 2026 - a 4x expansion since 2022.

Each account gets 1 GB of free storage, with individual files capped at 10 MB. You can use it through the web portal, the official DigiLocker mobile app (iOS and Android), or integrations in other government apps like mAadhaar and IRCTC.

Is DigiLocker Safe? The Security Assessment

Short answer: yes, for most users, for most use cases. Longer answer requires looking at what security mechanisms exist, what legal protections apply, and what has gone wrong historically.

Security Mechanisms

• 256-bit SSL encryption protects data in transit and at rest (as stated by DigiLocker).
• Aadhaar-linked authentication via mobile OTP ensures only the document owner can log in.
• 6-digit security PIN required after OTP login - second factor before sensitive actions.
• Consent-based document fetch - issuer systems release documents only when you grant explicit consent, token-by-token.
• Timed session logouts prevent abandoned sessions from staying active.
• Digital signatures on every issued document allow third parties (banks, employers) to verify authenticity without contacting the issuer.

Legal Equivalence to Physical Documents

Rule 9A of the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016, notified on 8 February 2017 by MeitY, establishes that documents issued through or shared from DigiLocker carry the same legal status as their physical counterparts. In practice:

• A RTO officer checking vehicle documents must accept a driving license from DigiLocker as valid.
• An airport must accept DigiLocker-issued boarding passes and identity documents.
• A school or exam centre must accept mark sheets from DigiLocker as equivalent to original.
• Banks and financial institutions accept DigiLocker documents for KYC, subject to RBI Master Direction conditions.

Vulnerability History (Full Disclosure)

DigiLocker had a significant batch of security vulnerabilities discovered and responsibly disclosed in May-June 2020. An independent researcher documented:

• OTP bypass: an API endpoint that validated OTPs lacked authorization checks, allowing login as a different user if the attacker knew the victim's Aadhaar, mobile number, or username.
• PIN reset flaw: the API endpoint used to set a user's PIN could be exploited to reset it for a random user using their UUID.
• SSL pinning bypass: the mobile app's SSL pinning was weakly implemented and bypassable with tools like Frida.
• SIM recycling leak: recycled deactivated mobile numbers could retain DigiLocker associations from the previous owner.

All disclosed vulnerabilities were reportedly patched within weeks. No major incidents have been publicly documented post-2020. The disclosure itself is a positive signal - it showed the responsible-disclosure pipeline works. The structural lesson: any OTP-centric authentication system inherits SIM-level vulnerabilities.

Verdict

For most users, DigiLocker is safer than carrying original paper documents (which can be lost, stolen, damaged, or misused). It is not a zero-risk system - no consumer authentication system is. Treat it as you would a bank app: protect the registered mobile number, enable any available secondary factors, and watch for phishing.

The 4 Real Security Risks (and How to Defend)

1. SIM Swap Attacks on Registered Mobile

This is the single biggest residual risk. Attackers use social engineering to convince your telecom operator to transfer your mobile number to a SIM they control. Once they own the number, they receive your DigiLocker OTP, reset the PIN, and access your documents. Defences: enable SIM lock with a PIN at your telco, never share OTPs under any circumstance, monitor for unexpected signal loss (often the first sign of a SIM swap), and set up your telco's fraud alerts if available.

2. Phishing via Fake DigiLocker Sites and WhatsApp Links

Attackers send SMS or WhatsApp messages impersonating DigiLocker, asking you to verify or update your account via a link that leads to a fake login page. You enter your Aadhaar and OTP, and they capture both. Defences: only access DigiLocker via digilocker.gov.in directly typed into the browser, or the official app from Google Play / App Store. Never click login links from SMS or WhatsApp even if they look official.

3. Compromised or Shared Device

Malware on your phone or laptop can capture your DigiLocker PIN or session tokens. So can shoulder-surfing in a public place or someone using your unlocked device. Defences: use device lock (PIN / biometric), log out of DigiLocker on shared devices, avoid logging in on public Wi-Fi without a VPN, and keep your OS and apps updated.

4. Over-Sharing via Consented Fetch

Third parties can request specific documents from your DigiLocker, and you must grant consent before the document is released. Attackers can mimic this flow with a fake consent request that redirects to their system. Defences: read every consent screen carefully before approving - check the exact requester name and what document is being requested. Revoke access to apps you no longer use from the DigiLocker settings.

When DigiLocker Doesn't Work: Error, Cause, Fix

Even though DigiLocker has scaled past 67 crore users, individual fetches still fail for predictable reasons. Official help pages explain the happy-path workflow; this section focuses on the practical failure modes users actually hit in real life. Most failures land at the issuer's end (UIDAI, Income Tax Department, state RTO, or specific board) rather than at DigiLocker itself, so the fix usually lives in the issuer's portal.

If none of these match your case, raise a ticket with DigiLocker support at support@digilocker.gov.in - include the exact error message and a screenshot.

How to Create a DigiLocker Account (Step-by-Step)

You need an active mobile number linked to your Aadhaar (required for the OTP flow). The account is free and takes about 3 minutes to set up.

1. Visit digilocker.gov.in or download the official DigiLocker app from Google Play Store or Apple App Store.
2. Click "Sign Up" and enter your mobile number (or Aadhaar number). You will receive a 6-digit OTP on the Aadhaar-registered mobile.
3. Enter the OTP to verify your mobile number. Set a 6-digit PIN - you will use this for every sensitive action going forward. Do not reuse your bank PIN.
4. Complete your profile with your Aadhaar number (optional for basic account, required for fetching documents). DigiLocker will validate your Aadhaar via UIDAI.
5. Verify Aadhaar via the OTP sent to your registered mobile. Your account is now ready to use.

Username note: the system auto-generates a username based on your name. You can change it once in account settings. Keep it simple but not easily guessable.

How to Upload Documents in DigiLocker (3 Methods)

Documents in DigiLocker come in two flavours: Issued Documents (fetched digitally from the government issuer, fully verifiable) and Uploaded Documents (scanned or photographed legacy documents you upload yourself). Method matters - issued documents carry full Rule 9A legal equivalence; uploaded documents do not have the same digital signature.

Method 1: Manual Upload (for Legacy or Non-Issued Documents)

Use this for documents DigiLocker does not yet fetch from the issuer (old certificates, property papers, personal records). These occupy your 1 GB quota.

1. Log in to DigiLocker and go to the "Uploaded Documents" section.
2. Click "Upload". Select the file from your device. File size limit: 10 MB per file. Supported: PDF, JPG, PNG.
3. Enter the document name, type (from dropdown), and issuing authority.
4. Click "Save". The file is stored encrypted in your account.

Tip: for scanned documents, keep the PDF quality reasonable (300 DPI is enough for text, 150 DPI for general viewing). A 2 MB PDF is usually cleaner than a 9 MB one and faster to share.

Method 2: Fetch from Issuer (Recommended Where Available)

This is the preferred method. The document is pulled directly from the source (CBSE, Income Tax Department, Parivahan, etc.) with full digital signature and Rule 9A legal equivalence. It does not count towards your 1 GB quota.

1. Go to the "Issued Documents" section.
2. Click "Get Issued Documents" and search for the document type (e.g., "Driving License", "PAN Card", "Class 10 Certificate").
3. Select your state and issuing authority. Enter the required identifiers (DL number, PAN, roll number, etc.).
4. Grant consent - DigiLocker requests the document from the issuer's system, which verifies and returns it with a digital signature.
5. The document appears in your Issued Documents list, ready to view, download, or share.

Commonly fetchable documents include Aadhaar (UIDAI), PAN Card (Income Tax Department), Driving License and Vehicle RC (Ministry of Road Transport / Parivahan), Passport (from 2023 onwards), Class 10 and 12 mark sheets and certificates (CBSE, CISCE, state boards), and insurance policies (IRDAI).

Method 3: Share a Document with a Third Party

1. Open the document you want to share.
2. Click "Share". Choose between a shareable link (time-limited, password-protected) or direct email.
3. The recipient receives a link. They can verify the document's digital signature against DigiLocker's verification service.
4. You can revoke the share anytime from the document's sharing history.

What Documents Can You Store in DigiLocker?

DigiLocker integrates with hundreds of government and private issuers. These are the most commonly used:

Coverage Reality: When Fetch Works and When It Doesn't

The table above shows what DigiLocker can carry. It does not show how reliable each category actually is in 2026. Here is the honest split, organised by the most common gap shape.

Verify current coverage at DigiLocker's All Issuers / Document Search surface at digilocker.gov.in/dashboard/issuers. The list updates as new issuers integrate; rollouts are slow but ongoing.

April 2026: RBI Payment Authentication Directions and the KYC Track

Payment Authentication Directions, 2025

The Reserve Bank of India issued the Authentication Mechanisms for Digital Payment Transactions Directions, 2025 on 25 September 2025, with an effective date of 1 April 2026. The directions move banks toward risk-based authentication for high-risk payment transactions. The directions reference DigiLocker as one platform that issuers may explore for notification and confirmation of high-risk transactions - DigiLocker itself is not an authentication method, and the directions do not make it the central or mandatory surface for any track.

What changes for you as an account holder:

• Familiar devices and locations pass through low-friction authentication (usually the regular OTP or biometric).
• High-risk transactions - unusual amounts, new merchants, unfamiliar devices or locations, out-of-pattern spending - can trigger additional verification. The directions list DigiLocker among the platforms issuers may use for notification and confirmation, alongside other channels.
• Issuer liability: if a fraudulent transaction succeeds because the issuer (your bank) failed to implement adequate authentication, the bank must fully compensate you. This materially shifts the incentive for banks to take authentication seriously.

KYC Master Direction (Separate Track)

Parallel to the Authentication Directions, the RBI Master Direction on KYC (consolidated November 2025; June 2025 amendments) governs Know-Your-Customer for bank account opening and refresh. This is a different track from payment authentication. The KYC Master Direction accepts equivalent e-documents of Officially Valid Documents (OVDs), including documents issued through DigiLocker. The OVD list under RBI KYC is passport, driving licence, voter ID, NREGA job card, letter from NPR, and proof of possession of Aadhaar number. PAN / e-PAN is handled separately under the PAN or Form 60 requirement, not as an OVD.

KYC compliance deadlines for customers: low-risk customers have until 30 June 2026 or one year from their KYC due date (whichever is later) to update. Banks were required to complete IT systems and training by 1 January 2026. Combined effect for the DigiLocker user: setting up your DigiLocker account with Aadhaar, driving licence, and passport ready as Issued Documents is worth the 3 minutes - both tracks benefit from a clean, fetchable document set being available when you need it.

DigiLocker vs Physical Documents (Comparison)

Which App Should You Use? DigiLocker vs mAadhaar vs UMANG

India has three major government apps that overlap on document and identity management, plus your physical wallet. Each was built by a different agency for a different purpose. Here is how they actually compare so you can pick the right one for the task at hand.

In practice you usually need at least two of these. DigiLocker for daily document carry. mAadhaar for Aadhaar-specific self-service - VID generation, eKYC at counter, address update where eligible, locating a Seva Kendra (note: mobile-number update specifically requires a centre or postman visit per UIDAI, not self-service). UMANG when you need to find a govt service you have not used before. Physical documents stay in your wallet as the always-works fallback when the internet, the issuer feed, or the platform itself is down.

What to Do If Your DigiLocker Is Compromised

If you suspect your DigiLocker account has been accessed without your permission - unexpected OTP SMS messages, missing sessions, or sharing activity you did not initiate - act fast:

1. Change your DigiLocker PIN immediately from account settings if you still have access.
2. Contact your telecom operator to confirm no SIM swap has occurred. If it has, restore your number and report the fraud.
3. Contact DigiLocker support at support@digilocker.gov.in or call their helpline. Request a security review of recent activity on your account.
4. Update your Aadhaar-linked mobile number via UIDAI if the old number is compromised. This requires a physical visit to an Aadhaar enrolment centre.
5. File a police complaint if financial fraud has occurred. Use the National Cyber Crime Reporting Portal at cybercrime.gov.in.

Disclaimer

This guide is for educational purposes only and does not constitute legal or cybersecurity advice. DigiLocker features, security mechanisms, and integrations change as MeitY and issuer systems evolve - verify the current state on digilocker.gov.in before relying on any specific claim here. DesiUtils is not affiliated with DigiLocker, MeitY, UIDAI, RBI, or any government body. The security assessment here reflects publicly available information as of April 2026 and should not be interpreted as an endorsement, certification, or guarantee. If your account is compromised or you suspect financial fraud, contact DigiLocker support and the National Cyber Crime Reporting Portal directly.

Sources

• DigiLocker - Official Portal (MeitY)
• DigiLocker Browse Issuers / Issuer Search - canonical surface for verifying current state-level coverage
• DigiLocker Official Blog - User statistics
• DigiLocker Developer Portal - Rules and Amendments (Rule 9A, 2016 Rules)
• Information Technology Act 2000 (updated) - IndiaCode.nic.in
• UIDAI myAadhaar Portal - address updates (where eligible), Aadhaar status check, Seva Kendra locator and appointment booking. Mobile-number update is NOT self-service - it requires Aadhaar Enrolment Centre / Seva Kendra biometric verification or the Indian Post postman service.
• UIDAI mAadhaar app overview and FAQs
• Income Tax e-Filing Portal - Link Aadhaar Status, PAN operativity check
• Ministry of Road Transport - Parivahan Portal - DL and Vehicle RC issuer coverage
• Election Commission of India - downloadable e-EPIC (where state EPIC integration with DigiLocker is pending)
• BusinessToday: RBI Authentication Mechanisms Directions 2025 (25 Sep 2025) - explainer for the payment-authentication track
• RBI: Master Direction on KYC - accepted e-documents of OVDs; PAN handled separately under PAN or Form 60 requirement
• National Cyber Crime Reporting Portal - for reporting fraud or compromise