Privacy Vault

All data stays on your device. Exported files are encrypted and can only be opened with your master password.

Security Architecture

How Privacy Vault protects your credentials : from key derivation to auto-lock. Everything is designed so that trust in us is mathematically unnecessary.

AES-GCM 256-bit Encryption

Every vault entry is encrypted using AES-GCM with a 256-bit key before it is ever written to storage. AES-GCM provides both confidentiality and authenticity; any tampering with the ciphertext causes decryption to fail cleanly.

PBKDF2 Key Derivation

Your master password is never used directly as an encryption key. PBKDF2-SHA256 with 210,000 iterations and a random 16-byte salt is used to derive a strong key. This makes brute-force attacks computationally expensive.

IndexedDB Local Storage

Encrypted vault data lives in your browser's IndexedDB, a sandboxed local database. Other websites cannot access it. When you close the browser, it remains encrypted at rest on your disk.

Auto-Lock After Inactivity

The decrypted vault is kept only in memory. After 5 minutes of inactivity, the vault is automatically wiped from memory. Your master password is never stored, not in localStorage, cookies, or anywhere else.

Encrypted Portable Backups

Exported backup files use the same AES-GCM encryption. The file is useless without your master password. Even if someone intercepts or steals the backup file, they cannot read it.

Zero Server-Side Access

All cryptographic operations happen in your browser using the native Web Crypto API. We never receive your passwords, master password, or any vault data. This is an architectural guarantee, not a policy promise.

Threat Model

Privacy Vault is designed to protect against the following threats:

  • Compromised server / supply chain attack: Since no vault data is ever sent to a server, a server breach exposes zero user credentials.
  • Passive network eavesdropping: Vault data never travels over the network. No interception is possible.
  • Stolen device with browser data: Vault data in IndexedDB is AES-GCM encrypted with a key derived from your master password. Without the master password, the data is unreadable.
  • Session hijacking: The decrypted vault exists only in memory and is wiped on lock/auto-lock. Session tokens are not used.

Known Limitations

  • Malicious browser extensions: A compromised browser extension with full page access could potentially read decrypted passwords while the vault is unlocked. Use a clean browser profile and audit your extensions.
  • Keyloggers: A keylogger on your OS could capture your master password. This is outside the scope of any browser-based application.
  • Forgotten master password: Because we never store your master password, there is no recovery mechanism. Losing it means losing access to the vault.
  • Weak master password: The PBKDF2 hardening adds cost to brute-force attacks, but a very weak master password can still be compromised. Use a strong, unique master password.

Responsible Disclosure

Found a security issue? Please report it privately via GitHub or through net2coder.in. We take security reports seriously and will respond promptly.