Security Architecture

All encryption and decryption operations occur entirely within your browser utilizing the native Web Crypto API. The server only receives and stores the resulting ciphertext blocks.

• Algorithm: AES-256 in Galois/Counter Mode (GCM).
• Key Derivation: PBKDF2 with SHA-256 is used to derive a vault key from your Master Password and a user-specific salt.
• Authentication: GCM provides authenticated encryption, ensuring that ciphertexts cannot be tampered with without immediate detection upon decryption.

Vaultr employs a strict separation of concerns for user authentication versus data encryption.

Logging into the application utilizes standard session tokens (HTTP-only cookies), while unlocking your vault localizes the derived encryption key strictly to application memory. The master key is never persisted to localStorage or session cookies, mitigating cross-site scripting (XSS) extraction risks.

The backend is built with Next.js App Router and Prisma, providing inherent protections against common web vulnerabilities.

• Injection Prevention: Prisma ORM prevents SQL injection on all database queries.
• Rate Limiting: Redis caching is utilized across authentication endpoints to throttle sequential failed attempts.
• Validation: Strict Zod schemas mandate exact payloads, dropping unrecognized or malformed data before database insertion.