Security Model

Forged is built on zero-knowledge architecture. Your master password and private keys never leave your machine. The sync server stores only opaque encrypted blobs it cannot read.

Encryption

Key Derivation

Argon2id (64MB memory, 3 iterations, 4 threads)

Vault Encryption

XChaCha20-Poly1305 (256-bit key, 24-byte nonce)

Sync Encryption

HKDF-SHA256 derived sync key + XChaCha20-Poly1305

Nonce Strategy

Random 24-byte per write (no reuse risk)

Your master password is processed through Argon2id, a memory-hard key derivation function that resists GPU and ASIC attacks. The derived 256-bit key encrypts the vault using XChaCha20-Poly1305, the same AEAD cipher used by WireGuard and age. The 24-byte nonce is randomly generated on every write, eliminating nonce-reuse risk even across synced devices.

Key Hierarchy

Master Password

Argon2id (salt_A)

Vault Key (256-bit)

|-- Encrypts local vault file

HKDF-SHA256 (context: "forged-sync")

Sync Key

+-- Encrypts vault blob for cloud upload

The server authenticates you via OAuth (Google/GitHub) but has no access to the vault key. Authentication and encryption are completely separate concerns.

What the Server Sees

Your email

Yes, for account identity (via OAuth)

Your encrypted vault

Yes, as an opaque blob it cannot decrypt

Your master password

Never. It never leaves your machine.

Your vault encryption key

Never. Derived locally from master password.

Your private SSH keys

Never. Encrypted inside the vault blob.

Threat Model

Threat	Mitigation
Disk theft / lost laptop	Vault encrypted with Argon2id + XChaCha20-Poly1305. Without master password, vault is opaque bytes.
Server compromise	Zero-knowledge. Server stores only encrypted blobs. No plaintext keys ever leave the client.
Memory dump / swap	Key memory pages locked with mlock(). Daemon zeroes key material on shutdown.
Agent socket snooping	Socket file permissions set to 0600. Only the owning user can connect.
MITM on sync	TLS for transport. Vault payload independently encrypted with client-side key. Double encryption.
Master password brute force	Argon2id with high parameters (64MB memory, 3 iterations). Rate limiting on cloud login.
Rogue device	New device registration requires approval from an existing device.
Vault corruption	Atomic writes (tmp + fsync + rename). File locking prevents concurrent access.

Memory Safety

Private keys are held in memory pages locked with mlock() to prevent swapping to disk. On shutdown, all key material is explicitly zeroed.

Known limitation:Go's garbage collector may copy heap objects before they are zeroed. We mitigate with mlock and best-effort zeroing. For production-grade mitigation, memguard or mmap-based allocation outside the Go heap is planned for a future release.

Open Source

Forged is source-available. Every line of code is auditable. The encryption implementation uses well-established Go standard library and golang.org/x/crypto packages, not custom cryptography.

View source on GitHub