How SafeLane keeps your passwords safe

SafeLane uses end-to-end encryption: the keys that decrypt your vault never leave your device. SafeLane's own servers store only encrypted ciphertext. Even a complete server compromise leaves your vault unreadable.

The key hierarchy

When you sign up, you choose a master passphrase. SafeLane never sees it.

1. Your browser runs Argon2id (a memory-hard password-stretching algorithm) with a 32-byte random salt over your passphrase. This is intentionally slow — about 250 ms — to defeat offline brute-force attacks.
2. The output is split into two 32-byte keys: an auth key (sent to the server as the Supabase Auth password, which Supabase re-hashes with bcrypt before storing) and a KEK (Key Encryption Key — never leaves your device).
3. On signup, your browser generates a random 32-byte DEK (Data Encryption Key) and wraps (encrypts) it with your KEK using AES-256-GCM. The wrapped DEK is stored on SafeLane's servers — but only you can unwrap it.
4. Every password item is encrypted with the DEK before it leaves your browser. The server stores opaque ciphertext.

What the server can see

• Your email (you gave it to sign up)
• The KDF parameters and salt (needed to reproduce derivation on a new device)
• The wrapped DEK (useless without your master passphrase)
• Encrypted item blobs and their sizes
• Creation and update timestamps

What the server cannot see

• Your master passphrase
• The unwrapped DEK
• The plaintext of any item — including item names and URLs

Threat model

SafeLane is designed to defeat:

• Server compromise. An attacker with full database access still sees only ciphertext.
• Network interception. All communication uses TLS, and item-level encryption means even a broken TLS handshake leaks only ciphertext.
• Stolen device. The device caches an unlock token briefly; SafeLane locks automatically after inactivity.
• Account hijack. 2FA, suspicious-login email alerts, and per-device session monitoring.

SafeLane does not protect against:

• Malware on your unlocked device. No password manager defends against this — keep your machines clean.
• A rubberhose attacker who can compel you to reveal your passphrase.
• A forgotten master passphrase. There is no recovery. Write it down.

Cryptographic choices

• KDF: Argon2id, OWASP-2023 parameters (t=3, m=64 MiB, p=4). Stored per-user so we can raise them over time.
• Symmetric encryption: AES-256-GCM with random 96-bit IVs per encryption. 128-bit auth tag.
• Randomness: Browser's WebCrypto getRandomValues (CSPRNG sourced from the OS).
• Envelope format: Versioned, so we can migrate to new primitives later without breaking existing data.

Independent audits

SafeLane commissions an annual third-party security audit. Reports will be published here once available.