Security Model
FyVault is built around zero-knowledge encryption, multi-factor authentication, and a transparent threat model.
Zero-Knowledge Encryption
FyVault uses client-side encryption. Your secrets are encrypted in the browser before they leave your machine.
How it works
- 1You set a vault passphrase (separate from your login password)
- 2Your browser derives an AES-256 encryption key using industry-standard key derivation
- 3Each secret is encrypted with AES-256 encryption before leaving your browser
- 4Only the ciphertext is sent to the server
- 5The server stores opaque blobs it cannot decrypt
What the FyVault server sees:
DKj3mR1x9QbN7Hf2kL5pW8vE... (ciphertext — useless without your passphrase)Two-Factor Authentication
Enable TOTP-based 2FA with any authenticator app (Google Authenticator, Authy, 1Password).
After enabling 2FA:
- Login requires password + 6-digit code
- Viewing secrets requires re-authentication (sudo mode)
- 8 one-time recovery codes provided for backup
Hardware Security Keys (WebAuthn)
Register FIDO2 security keys (YubiKey, device biometric) for passwordless login. WebAuthn provides phishing-resistant authentication tied to the origin domain.
Sudo Mode
Sensitive actions (decrypt, update, delete secrets) require re-authentication — similar to GitHub's sudo mode. You must enter your TOTP code or password again, even if you're already logged in.
Threat Model
| Threat | Protected? |
|---|---|
| Network sniffer | YesTLS in transit. Post-injection, real credential exists inside TLS stream. |
| Compromised FyVault cloud | YesServer stores only ciphertext. Cannot decrypt without vault passphrase. |
| FyVault staff / insiders | YesZero-knowledge between client and server. Frontend integrity is the trust boundary. |
| Stolen session token | YesSession binding and multi-factor authentication required. |
| Malicious npm package | YesCannot read process.env or .env files. If package achieves root escalation, protections degrade. |
| Root access on server | PartialNot in .env or process memory. Root with kernel access (ptrace, /dev/mem) can still extract. Assumes kernel integrity. |
| Compromised frontend JS | NoSupply chain attack on frontend can capture vault passphrase at input time. |
| Stolen vault passphrase | PartialAdditional auth layers (2FA, sudo mode) still required for access. |
| Full device compromise | NoRoot + kernel access = game over. Same as any system. |
Audit Trail
Every action is logged with:
Who
User email
What
Action type
When
Timestamp
Where
IP address, user agent
What changed
Resource type, resource ID
Security Tiers
FyVault automatically detects the security capabilities of each device at boot time. No configuration required — the agent inspects the hardware and reports the appropriate tier.
Standard VM / Bare Metal
Secrets are stored in the Linux kernel keyring, invisible to application-layer processes. Protected from .env file leaks, environment variable dumping, and unauthorized process access. Requires kernel integrity (secure boot recommended).
AMD SEV-SNP / Intel TDX
Memory encryption at the hardware level. The hypervisor and cloud provider cannot read VM memory. Secrets in the kernel keyring are protected even from a compromised hypervisor. Detected automatically via /dev/sev-guest or /dev/tdx_guest.
AWS Nitro Enclaves
Isolated compute environment with no persistent storage, no network access, and no operator shell. The parent EC2 instance cannot inspect enclave memory. Hardware-signed attestation documents prove code identity to the FyVault cloud before secrets are released. Detected via /dev/nsm (Nitro Security Module).
The detected security tier is visible on each device in the dashboard and is logged in the audit trail at every boot event.
Honest Limitations
FyVault is not magic. Here's what we don't protect against:
Root with kernel access
If an attacker has root AND can interact with the kernel (load modules, ptrace the agent, read /dev/mem), they can extract secrets. FyVault assumes kernel integrity. On hardened systems (secure boot, SELinux, locked modules), this is significantly harder but not impossible.
Compromised frontend
Zero-knowledge encryption depends on frontend code integrity. If an attacker compromises the JavaScript (supply chain attack, XSS), they can capture the vault passphrase at input time. Mitigations: strict CSP, subresource integrity, self-hosted builds.
Secrets in transit
After injection, secrets exist momentarily in agent memory, network packets (inside TLS), and kernel keyring memory. They are never on disk or in application env vars, but they DO exist in volatile memory.
Complexity risk
FyVault combines browser crypto, cloud storage, kernel isolation, and network-layer injection. Complex systems are harder to audit than simple ones. We recommend third-party security audits before production deployment.
The real guarantee
FyVault ensures secrets are never persistently accessible to application-layer processes. It raises the cost of attack from "read a .env file" to "compromise the kernel" — a massive improvement in security posture, but not absolute protection.
Security Whitepaper
For detailed cryptographic architecture, key management design, and penetration test results, request our Security Whitepaper. Available for enterprise customers and security auditors.
Request Security Whitepaper →