Is DigiLocker Safe? Complete 2026 Guide + Upload Steps

Educational content about a government digital service. Not legal or security advice. If you suspect your DigiLocker account has been compromised, contact DigiLocker support (support@digilocker.gov.in) immediately and follow UIDAI's mobile-number-change process.

Quick answer: Yes, DigiLocker is safe for storing and sharing personal documents. It uses 256-bit SSL encryption, Aadhaar OTP plus a user-set PIN for authentication, and is legally equivalent to physical documents under Rule 9A of the IT Rules 2016 (notified 8 February 2017). As of March 2026 it has 67.63 crore users and has issued over 950 crore documents without a major post-2020 incident. The main ongoing risk is SIM swap attacks on your registered mobile number - protect that number and you are covered for most threats.

This guide gives a balanced security assessment (including the 2020 vulnerability disclosures, all since patched), explains how to create and use your DigiLocker account, and covers the April 2026 RBI update that is making DigiLocker central to bank KYC. We are not affiliated with DigiLocker, MeitY, or any government body.

What is DigiLocker?

DigiLocker is a cloud-based document wallet operated by the Ministry of Electronics and Information Technology (MeitY), Government of India, as part of the Digital India initiative. It launched publicly on 1 July 2015 and lets you store, fetch, and share government-issued documents digitally.

2026 scale: 67.63 crore users (~676 million) as of March 2026, with over 950 crore documents issued or uploaded. Growth has accelerated sharply, from 51.52 crore users in March 2025 to 67.63 crore in March 2026 - a 4x expansion since 2022.

Each account gets 1 GB of free storage, with individual files capped at 10 MB. You can use it through the web portal, the official DigiLocker mobile app (iOS and Android), or integrations in other government apps like mAadhaar and IRCTC.

Is DigiLocker Safe? The Security Assessment

Short answer: yes, for most users, for most use cases. Longer answer requires looking at what security mechanisms exist, what legal protections apply, and what has gone wrong historically.

Security Mechanisms

• 256-bit SSL encryption protects data in transit and at rest (as stated by DigiLocker).
• Aadhaar-linked authentication via mobile OTP ensures only the document owner can log in.
• 6-digit security PIN required after OTP login - second factor before sensitive actions.
• Consent-based document fetch - issuer systems release documents only when you grant explicit consent, token-by-token.
• Timed session logouts prevent abandoned sessions from staying active.
• Digital signatures on every issued document allow third parties (banks, employers) to verify authenticity without contacting the issuer.

Legal Equivalence to Physical Documents

Rule 9A of the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016, notified on 8 February 2017 by MeitY, establishes that documents issued through or shared from DigiLocker carry the same legal status as their physical counterparts. In practice:

• A RTO officer checking vehicle documents must accept a driving license from DigiLocker as valid.
• An airport must accept DigiLocker-issued boarding passes and identity documents.
• A school or exam centre must accept mark sheets from DigiLocker as equivalent to original.
• Banks and financial institutions accept DigiLocker documents for KYC, subject to RBI Master Direction conditions.

Vulnerability History (Full Disclosure)

DigiLocker had a significant batch of security vulnerabilities discovered and responsibly disclosed in May-June 2020. An independent researcher documented:

• OTP bypass: an API endpoint that validated OTPs lacked authorization checks, allowing login as a different user if the attacker knew the victim's Aadhaar, mobile number, or username.
• PIN reset flaw: the API endpoint used to set a user's PIN could be exploited to reset it for a random user using their UUID.
• SSL pinning bypass: the mobile app's SSL pinning was weakly implemented and bypassable with tools like Frida.
• SIM recycling leak: recycled deactivated mobile numbers could retain DigiLocker associations from the previous owner.

All disclosed vulnerabilities were reportedly patched within weeks. No major incidents have been publicly documented post-2020. The disclosure itself is a positive signal - it showed the responsible-disclosure pipeline works. The structural lesson: any OTP-centric authentication system inherits SIM-level vulnerabilities.

Verdict

For most users, DigiLocker is safer than carrying original paper documents (which can be lost, stolen, damaged, or misused). It is not a zero-risk system - no consumer authentication system is. Treat it as you would a bank app: protect the registered mobile number, enable any available secondary factors, and watch for phishing.

The 4 Real Security Risks (and How to Defend)

1. SIM Swap Attacks on Registered Mobile

This is the single biggest residual risk. Attackers use social engineering to convince your telecom operator to transfer your mobile number to a SIM they control. Once they own the number, they receive your DigiLocker OTP, reset the PIN, and access your documents. Defences: enable SIM lock with a PIN at your telco, never share OTPs under any circumstance, monitor for unexpected signal loss (often the first sign of a SIM swap), and set up your telco's fraud alerts if available.

2. Phishing via Fake DigiLocker Sites and WhatsApp Links

Attackers send SMS or WhatsApp messages impersonating DigiLocker, asking you to verify or update your account via a link that leads to a fake login page. You enter your Aadhaar and OTP, and they capture both. Defences: only access DigiLocker via digilocker.gov.in directly typed into the browser, or the official app from Google Play / App Store. Never click login links from SMS or WhatsApp even if they look official.

3. Compromised or Shared Device

Malware on your phone or laptop can capture your DigiLocker PIN or session tokens. So can shoulder-surfing in a public place or someone using your unlocked device. Defences: use device lock (PIN / biometric), log out of DigiLocker on shared devices, avoid logging in on public Wi-Fi without a VPN, and keep your OS and apps updated.

4. Over-Sharing via Consented Fetch

Third parties can request specific documents from your DigiLocker, and you must grant consent before the document is released. Attackers can mimic this flow with a fake consent request that redirects to their system. Defences: read every consent screen carefully before approving - check the exact requester name and what document is being requested. Revoke access to apps you no longer use from the DigiLocker settings.

How to Create a DigiLocker Account (Step-by-Step)

You need an active mobile number linked to your Aadhaar (required for the OTP flow). The account is free and takes about 3 minutes to set up.

1. Visit digilocker.gov.in or download the official DigiLocker app from Google Play Store or Apple App Store.
2. Click "Sign Up" and enter your mobile number (or Aadhaar number). You will receive a 6-digit OTP on the Aadhaar-registered mobile.
3. Enter the OTP to verify your mobile number. Set a 6-digit PIN - you will use this for every sensitive action going forward. Do not reuse your bank PIN.
4. Complete your profile with your Aadhaar number (optional for basic account, required for fetching documents). DigiLocker will validate your Aadhaar via UIDAI.
5. Verify Aadhaar via the OTP sent to your registered mobile. Your account is now ready to use.

Username note: the system auto-generates a username based on your name. You can change it once in account settings. Keep it simple but not easily guessable.

How to Upload Documents in DigiLocker (3 Methods)

Documents in DigiLocker come in two flavours: Issued Documents (fetched digitally from the government issuer, fully verifiable) and Uploaded Documents (scanned or photographed legacy documents you upload yourself). Method matters - issued documents carry full Rule 9A legal equivalence; uploaded documents do not have the same digital signature.

Method 1: Manual Upload (for Legacy or Non-Issued Documents)

Use this for documents DigiLocker does not yet fetch from the issuer (old certificates, property papers, personal records). These occupy your 1 GB quota.

1. Log in to DigiLocker and go to the "Uploaded Documents" section.
2. Click "Upload". Select the file from your device. File size limit: 10 MB per file. Supported: PDF, JPG, PNG.
3. Enter the document name, type (from dropdown), and issuing authority.
4. Click "Save". The file is stored encrypted in your account.

Tip: for scanned documents, keep the PDF quality reasonable (300 DPI is enough for text, 150 DPI for general viewing). A 2 MB PDF is usually cleaner than a 9 MB one and faster to share.

Method 2: Fetch from Issuer (Recommended Where Available)

This is the preferred method. The document is pulled directly from the source (CBSE, Income Tax Department, Parivahan, etc.) with full digital signature and Rule 9A legal equivalence. It does not count towards your 1 GB quota.

1. Go to the "Issued Documents" section.
2. Click "Get Issued Documents" and search for the document type (e.g., "Driving License", "PAN Card", "Class 10 Certificate").
3. Select your state and issuing authority. Enter the required identifiers (DL number, PAN, roll number, etc.).
4. Grant consent - DigiLocker requests the document from the issuer's system, which verifies and returns it with a digital signature.
5. The document appears in your Issued Documents list, ready to view, download, or share.

Commonly fetchable documents include Aadhaar (UIDAI), PAN Card (Income Tax Department), Driving License and Vehicle RC (Ministry of Road Transport / Parivahan), Passport (from 2023 onwards), Class 10 and 12 mark sheets and certificates (CBSE, CISCE, state boards), and insurance policies (IRDAI).

Method 3: Share a Document with a Third Party

1. Open the document you want to share.
2. Click "Share". Choose between a shareable link (time-limited, password-protected) or direct email.
3. The recipient receives a link. They can verify the document's digital signature against DigiLocker's verification service.
4. You can revoke the share anytime from the document's sharing history.

What Documents Can You Store in DigiLocker?

DigiLocker integrates with hundreds of government and private issuers. These are the most commonly used:

April 1, 2026 Update: RBI Bank KYC Mandate

The Reserve Bank of India issued the "Authentication Mechanisms for Digital Payment Transactions Directions, 2025" on 25 September 2025, with an effective date of 1 April 2026. The directions push banks to use DigiLocker for verifying high-risk transactions as part of a broader risk-based authentication framework.

What changes for you as an account holder:

• Familiar devices and locations pass through low-friction authentication (usually the regular OTP or biometric).
• High-risk transactions - unusual amounts, new merchants, unfamiliar devices or locations, out-of-pattern spending - can trigger additional verification, including DigiLocker-based document check.
• Issuer liability: if a fraudulent transaction succeeds because the issuer (your bank) failed to implement adequate authentication, the bank must fully compensate you. This materially shifts the incentive for banks to do authentication well.
• KYC compliance deadlines: low-risk customers have until 30 June 2026 or one year from their KYC due date (whichever is later) to update. Banks were required to complete IT systems and training by 1 January 2026.

Combined with the separate 12 June 2025 KYC Master Direction amendments and the November 2025 consolidation (where RBI repealed the 2016 Master Direction and replaced it with 10 new Master Directions), DigiLocker is now a core piece of India's financial identity infrastructure. Getting a DigiLocker account set up properly now is worth the 3 minutes.

DigiLocker vs Physical Documents (Comparison)

What to Do If Your DigiLocker Is Compromised

If you suspect your DigiLocker account has been accessed without your permission - unexpected OTP SMS messages, missing sessions, or sharing activity you did not initiate - act fast:

1. Change your DigiLocker PIN immediately from account settings if you still have access.
2. Contact your telecom operator to confirm no SIM swap has occurred. If it has, restore your number and report the fraud.
3. Contact DigiLocker support at support@digilocker.gov.in or call their helpline. Request a security review of recent activity on your account.
4. Update your Aadhaar-linked mobile number via UIDAI if the old number is compromised. This requires a physical visit to an Aadhaar enrolment centre.
5. File a police complaint if financial fraud has occurred. Use the National Cyber Crime Reporting Portal at cybercrime.gov.in.

Disclaimer

This guide is for educational purposes only and does not constitute legal or cybersecurity advice. DigiLocker features, security mechanisms, and integrations change as MeitY and issuer systems evolve - verify the current state on digilocker.gov.in before relying on any specific claim here. DesiUtils is not affiliated with DigiLocker, MeitY, UIDAI, RBI, or any government body. The security assessment here reflects publicly available information as of April 2026 and should not be interpreted as an endorsement, certification, or guarantee. If your account is compromised or you suspect financial fraud, contact DigiLocker support and the National Cyber Crime Reporting Portal directly.

Sources

• DigiLocker - Official Portal (MeitY)
• DigiLocker Official Blog - User statistics
• DigiLocker Developer Portal - Rules and Amendments (Rule 9A, 2016 Rules)
• Information Technology Act 2000 (updated) - IndiaCode.nic.in
• BusinessToday: RBI Authentication Mechanisms Directions 2025 (25 Sep 2025)
• RBI: Master Direction on KYC
• National Cyber Crime Reporting Portal - for reporting fraud or compromise