MrW Vault de Kadir Çelebi

🛡️ MrW Vault Security and Architecture Documentation

MrW Vault is a powerful, cross-platform, and cloud-based password manager where your data is encrypted on your device using "Zero-Knowledge" architecture before being transmitted to the server.

This document provides technical details on how the system is designed, how it protects your data, and how the end-to-end encryption chain operates.
🏗️ 1. General Architecture (Software Stack)

MrW Vault features a performance-oriented stack built on modern web standards and security APIs:

Backend (Server): Powered by ElysiaJS & Bun, offering high I/O, low latency, and native WebSocket support.

Database: PostgreSQL, managed via Prisma ORM.

Frontend (Client/Extension): Built with React, Vite, and Tailwind CSS. Packaged as a Chrome/Edge Extension (Manifest V3) using CRXJS.

Cryptography: Utilizes the browser's native and optimized Web Crypto API (AES-256-GCM, PBKDF2).

Server Management (Reverse Proxy): Secure HTTPS connections (SSL/TLS) managed via Nginx.


🔒 2. What is Zero-Knowledge Architecture?

The "Zero-Knowledge" approach is a security principle where the server (and the service provider) cannot read user data.

In MrW Vault:

Your passwords, credit card info, or notes are never sent to the server as plaintext.

Encryption occurs inside your browser (client-side) using your Master Password.

The server only stores encrypted strings (ciphertext) and initialization vectors (IV). Even if our server were compromised, attackers could not read your data.


🔑 3. Cryptographic Lifecycle

When a user registers or logs in, the following cryptographic chain occurs in the background:
Step A: Master Key Derivation

The user enters an email and a Master Password.

The user's unique KDF Salt is retrieved from the server (a random 16-byte salt is generated during registration).

The browser processes the Master Password and Salt using the PBKDF2-HMAC-SHA256 algorithm with 600,000 iterations.

This results in a 256-bit Master Key, which is kept only in volatile memory (sessionStorage/background service worker) and is never sent to the server.


Step B: Authentication Hash

How does the server verify you without knowing your Master Password?

The derived Master Key is processed again through PBKDF2 (using a different fixed salt and 600,000 iterations).

The resulting Auth Hash is sent to the server.

The server compares this with the stored hash to grant access via a secure JWT Token.


🛡️ 4. In-Vault Encryption Process

When you add a new entry (e.g., a Netflix password):

The app converts your data into a standard JSON object.

The Web Crypto API generates a random 12-byte Initialization Vector (IV) for each operation.

The app encrypts the JSON data using the Master Key, the random IV, and the AES-256-GCM algorithm. GCM mode not only encrypts but also appends an Authentication Tag.

The resulting Ciphertext (including the Tag) and IV are sent to the server. Only the entry type (Login, Note) and Folder ID remain unencrypted for organizational purposes.


Decryption Process

The browser retrieves the ciphertext and IV from the server.

The browser decrypts the data using the Master Key in its memory.

Thanks to GCM mode, if the encrypted data has been altered in any way (even a single bit), a cryptographic error is thrown, and decryption stops immediately (Tamper-proof).


🌍 5. Environment and Cross-Platform Security

Manifest V3: The extension adheres to modern Chrome security standards.

Shadow DOM: Save/Update pop-ups injected into web pages are isolated from the page's own CSS/JS, preventing CSRF and Clickjacking attacks.

Background Service Worker: Critical operations occur in an isolated background process. Content scripts cannot directly access keys or decrypted vault data.

JWT & XSS Protection: API authentication uses encrypted JWTs. External data is strictly sanitized via DOMPurify before rendering to prevent XSS attacks.


Summary: With MrW Vault, your data is locked with industry-standard AES-256 before it ever leaves your browser, and the only key (your Master Password) remains solely in your mind.