Security Model
Core principles
Section titled “Core principles”- Client-side encryption for sensitive credential values.
- Passphrase never transmitted as plaintext to backend services.
- Database stores encrypted blobs and vault metadata.
- In-memory vault keying with lock/unlock lifecycle.
Vault formats
Section titled “Vault formats”New format (preferred)
Section titled “New format (preferred)”vault_config.raw_dek: base64-encoded data encryption key material.vault_config.bcrypt_hash: passphrase verifier.- Unlock sequence: bcrypt verify passphrase -> import DEK -> enable decrypt operations.
Legacy format (compatibility)
Section titled “Legacy format (compatibility)”vault_config.wrapped_dekremains supported.- Unlock sequence derives KEK from passphrase and unwraps DEK.
Locking
Section titled “Locking”- Manual and automatic locking supported.
- Auto-lock defaults to 15 minutes of inactivity.
- Locking removes active key references from runtime state.
Browser-side protections
Section titled “Browser-side protections”- CSP is configured through
ContentSecurityPolicy.tswith environment-dependent policy variants. - Security event logging tracks unlock failures, decrypt errors, and suspicious patterns.
Threat boundaries
Section titled “Threat boundaries”Keyper protects strongly against database disclosure and passive network interception of stored secrets. Like all browser apps, it still depends on endpoint/browser integrity during active sessions.
Multi-user boundaries
Section titled “Multi-user boundaries”- Each username maps to an independent vault context (
vault_config.user_id) with separate key material. - Self-service registration creates new vault metadata without introducing privileged/admin access paths.
- User switching changes context only; it does not grant access until that user’s passphrase is verified.
- Emergency passphrase reset remains self-service and scoped to the selected user’s
bcrypt_hashrecord.