Argon2id
Key derivation
Winner of the Password Hashing Competition. Memory-hard function making GPU and ASIC brute-force attacks economically infeasible.
- 64MB memory cost
- 3 iterations, 4 parallelism
- ASIC-resistant by design
Every layer of the vault is built on battle-tested, open-standard cryptographic primitives. No proprietary algorithms, no security through obscurity.
Key derivation
Winner of the Password Hashing Competition. Memory-hard function making GPU and ASIC brute-force attacks economically infeasible.
Vault encryption
Extended-nonce AEAD stream cipher. Immune to timing attacks, nonce-misuse resistant, and faster than AES-GCM without hardware acceleration.
Sync protocol
Deterministic key derivation using HMAC-based Extract-and-Expand. Sync keys are mathematically isolated from vault keys.
Nonce strategy
Every vault write generates a cryptographically random 24-byte nonce, entirely preventing collision attacks across billions of operations.
Derived 256-bit keys encrypt the vault using XChaCha20-Poly1305. The 24-byte nonce is freshly randomized on every local vault sync action, entirely preventing collision attacks. All cryptographic operations use Go's golang.org/x/crypto library - no custom implementations.
A single master password deterministically generates all encryption keys through a strict, one-way derivation chain. No key is ever stored - they are regenerated on demand.
User-provided passphrase. Never stored on disk, never transmitted. Zeroed from memory immediately after derivation.
Memory-hard function transforms the password into a 256-bit key. 64MB memory, 3 iterations, 4 parallelism. ASIC-resistant.
256-bit symmetric key encrypts and decrypts the local vault file via XChaCha20-Poly1305 AEAD. Never persisted.
Derives a mathematically isolated sync key from the vault key using context-bound HMAC Extract-and-Expand.
Encrypts the vault blob before upload. The sync server only ever sees opaque, encrypted binary data.
What the server can see, what it can't, and what is physically impossible to access - even with full infrastructure compromise.
Available strictly for account ID metadata (via OAuth)
Encrypted payload accessible to sync servers - opaque binary data
Never leaves local execution. Zeroed from memory after derivation.
Local-only deterministic generation. Invisible to any server.
Nested within AEAD-encrypted vault buffers. Physically inaccessible.
Every known attack vector, mapped to its operational mitigation. If you find a gap, we want to hear about it.
| Threat Vector | Operational Mitigation |
|---|---|
| Disk theft | Vault is encrypted via Argon2id + XChaCha20-Poly1305. Physical data is cryptographically opaque without brute-forcing memory-hard key derivation. |
| Network node capture | Zero-knowledge architecture. Captured infrastructure contains exclusively encrypted binary blobs with no decryption capability. |
| Memory swap leak | Key memory pages locked with unix.Mlock(). Daemon actively zeroes all sensitive memory regions upon shutdown or lock. |
| Socket interception | Daemon socket permissions strictly enforced at 0600 with owner-only access. No remote socket exposure. |
| MITM on TLS sync | Forced TLS 1.3 transit with secondary vault-level encryption. Dual-layer protection makes MITM cryptographically useless. |
| Brute force attack | Argon2id parameters (64MB, 3 iterations) make each guess cost ~300ms. Rate limiting strictly enforced server-side. |
| File corruption | Atomic write logic (tmp + fsync + rename) ensures vault integrity. Write failures never corrupt existing vault state. |
Vault is encrypted via Argon2id + XChaCha20-Poly1305. Physical data is cryptographically opaque without brute-forcing memory-hard key derivation.
Zero-knowledge architecture. Captured infrastructure contains exclusively encrypted binary blobs with no decryption capability.
Key memory pages locked with unix.Mlock(). Daemon actively zeroes all sensitive memory regions upon shutdown or lock.
Daemon socket permissions strictly enforced at 0600 with owner-only access. No remote socket exposure.
Forced TLS 1.3 transit with secondary vault-level encryption. Dual-layer protection makes MITM cryptographically useless.
Argon2id parameters (64MB, 3 iterations) make each guess cost ~300ms. Rate limiting strictly enforced server-side.
Atomic write logic (tmp + fsync + rename) ensures vault integrity. Write failures never corrupt existing vault state.
The entire Forged core is open source. Every cryptographic implementation, every daemon operation, every vault interaction - fully inspectable.