1. Master Key Derivation (PBKDF2)
Upon account creation, a random 16-byte Cryptographic Salt is generated. The user's Master Password is combined with this Salt and processed using the Password-Based Key Derivation Function 2 (PBKDF2) algorithm. We utilize exactly 600,000 iterations of HMAC-SHA256 to derive a 256-bit symmetric Master Key.
2. Authentication Hash
To authenticate with the VoidCove API without transmitting the derived Master Key, the client hashes the raw 256-bit Master Key using SHA-256. This resulting AuthHash is transmitted to the server as a bearer token.
3. RSA Asymmetric Keypair generation
The client generates an RSA-OAEP 2048-bit Public/Private keypair. The Private Key is immediately encrypted using the symmetric 256-bit Master Key via AES-GCM (with a 12-byte random IV). Only the encrypted Private Key and the plaintext Public Key are stored on the server.
4. Vault Item Encryption (AES-GCM)
Every individual vault item (e.g., a login credential or secure note) is assigned a randomly generated 256-bit Item Key. The item payload (JSON) is encrypted using this Item Key via AES-GCM.
To allow sharing in the future, the Item Key itself is then encrypted using the RSA Public Key of the vault owner. During decryption, the client fetches the RSA Encrypted Private Key, decrypts it using their Master Key, and then uses the decrypted Private Key to decrypt the Item Key, which finally decrypts the payload.
The Golden Rule
Because the Master Password never leaves the client's device, and because the RSA Private Key cannot be decrypted without the Master Key, VoidCove has zero access to the user's encrypted vault payloads. A compromise of VoidCove's database yields mathematically useless ciphertext.