Security Model

Scope

✓ Protected

  • Secrets at rest — encrypted before they touch the browser store
  • Private keys — never exposed to the JavaScript heap
  • Tampering — authenticated encryption detects any change
  • An offline attacker who copies the encrypted store

⚠ Out of scope

  • A compromised page (XSS) while the vault is unlocked
  • Malicious browser extensions while the vault is unlocked
  • Keyloggers or malware on your device
  • Weak passwords — use a long, unique one
  • Phishing and social engineering

Layers of protection

1. Key derivation

Your password is transformed into a cryptographic key using Argon2id (OWASP-recommended defaults: ~19 MiB of memory, 2 iterations). The memory-hard design makes large-scale brute-forcing expensive even on GPUs or specialized hardware.

  1. Authenticated encryption

Each secret is encrypted with XChaCha20-Poly1305. The Poly1305 component verifies integrity: if someone modifies the encrypted data, decryption fails. Data cannot be read or altered without the correct key.

3. Memory isolation

Cryptographic keys live in WebAssembly linear memory, which the JavaScript heap cannot read. Injected scripts and extensions therefore cannot extract the raw keys — though, while the vault is unlocked, code running in your page can still ask it to decrypt or sign (see Out of scope). On lock, the memory is overwritten with zeros (zeroize).

Libraries used

We don’t roll our own crypto. We use standard, widely-reviewed Rust crates:

  • argon2 — Key derivation (Password Hashing Competition)

  • chacha20poly1305 — Authenticated encryption (RFC 8439)

  • ed25519-dalek — Digital signatures