🔐 SecurePass Vault Whitepaper

Overview

SecurePass Vault is an end-to-end encrypted password and product key manager that ensures only you can access your sensitive data. We use modern cryptography, secure authentication protocols, and zero-knowledge principles to protect your credentials — even we cannot read them.

Secure Authentication

Our authentication mechanism is powered by the scrypt hashing. This means:

• Your password is never sent to the server — just the hash
• We store a one-time cryptographic hash generated from your password and a random salt.
• Login proves you know your password without revealing it.
• No attacker (even us) can reverse-engineer your password from the hash.

Encryption

After authentication, we derive a strong encryption key from your password and salt using scrypt in the browser.

• Passwords, product keys, Note content, and API keys are encrypted in the browser before being sent to the server.
• We use AES-256-GCM for symmetric encryption, ensuring both confidentiality and integrity.
• Decryption also happens only in the browser. The server stores only second-layer ciphertext.

This means even if our server is compromised, your data remains secure.

Storage

Encrypted credentials are stored in a secure MongoDB backend. Each record includes:

• Site name, username, title, service name, product name, description
• Password, product key, note content, api key (encrypted)
• Metadata such as timestamps and optional labels

Session Security

After successful login, we issue a short-lived access token. Encryption keys are stored securely in sessionStorage — never persisted or reused across devices.

Your Privacy

At Cyber Cordon, we believe in privacy by design. We do not:

• Log your master password
• Store unencrypted sensitive data
• Sell or share your data

You are the only person who can decrypt your vault.