Security model
Zero-knowledge by design.
The short version
Your master password never leaves your device. We store only encrypted blobs. We literally can't read your passwords.
If our servers are stolen tomorrow, the attacker gets ciphertext — billions of years of brute force away from anything readable.
You hold the key
Encryption happens in your browser or on your phone, not our servers. The master password is the only thing that can unlock your safe, and it never leaves the device you typed it on.
We see scrambled text
DynamoDB stores AES-256-GCM ciphertext. Without your key, every byte is random — a server breach reveals nothing useful.
We can't help with recovery
Forgotten master passwords are unrecoverable. That's a feature, not a bug — it's the property that makes the rest of the system trustworthy.
How the crypto actually works
When you create your safe, your master password is fed through PBKDF2-HMAC-SHA256 with 600,000 iterations. The salt mixes your email address and a per-vault random value so two users with the same password produce different derived keys.
The derived key encrypts your vault contents with AES-256-GCM — authenticated encryption, so tampering with ciphertext is detected, not silently decrypted into garbage.
For server authentication we use OPAQUE-3DH, a password-authenticated key exchange. The server never sees your master password — not at registration, not at login. Even a malicious server can't learn it.
Org-event metadata wraps an asymmetric X25519 key per organisation, so admin views of member activity are end-to-end encrypted to the admin — not readable by us.
Audit details: We publish our algorithm choices, parameters, and key-derivation flow so independent reviewers can audit them.
Threat model
| Threat | Status | Detail |
|---|---|---|
| Compromised server database | Safe | Only ciphertext stored. Master key never reaches the server. |
| TLS MITM with stolen session JWT | Safe | Vault remains encrypted; the server cannot decrypt it either. |
| Phished master password | Exposed | No system can defend against a user revealing their password. |
| Compromised device (unlocked) | Exposed | While the safe is open, decrypted contents are in memory. |
| Lost master password | Unrecoverable | By design — there is no recovery path through us. |
Reporting a security issue
Email support@milcreto.com with the subject [security]. We respond within three business days. Please don't open public issues for vulnerabilities.