β οΈ Disclaimer: This project was created for fun and educational purposes to explore WebAuthn PRF capabilities. It is not recommended for use as an actual storage solution for sensitive data. Use established password managers and security tools for real-world secret management.
π€ no cap this is AI slop fr fr: this whole project was vibecoded by AI, straight up brainrot coded by the machines π absolutely cooked with that ChatGPT sauce, 100% artificial intelligence ahh code π£οΈπ₯ A secure, client-side encrypted vault using WebAuthn PRF (Pseudo-Random Function) for passwordless encryption. Your secrets are encrypted locally using hardware-backed keys derived from your passkeys β no passwords, no server-side key storage.
- π Passwordless Security β Uses WebAuthn PRF extension to derive encryption keys from passkeys
- π Client-Side Encryption β All encryption/decryption happens in your browser
- π Multi-Passkey Support β Add multiple passkeys (devices) to access your vault
- π± PWA Support β Install as a native app on any device
- π‘οΈ Envelope Encryption β Following NIST SP 800-57 recommendations
- π« No Server Required β Data stored locally in IndexedDB
- π Zero Knowledge β Your keys never leave your device
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β User's Device β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β βββββββββββββββ βββββββββββββββ βββββββββββββββββββ β
β β Passkey βββββΆβ PRF Output βββββΆβ KEK (Key β β
β β (Hardware) β β (32 bytes) β β Encryption β β
β βββββββββββββββ βββββββββββββββ β Key) β β
β ββββββββββ¬βββββββββ β
β β β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Wrapped DEK ββ
β β (Encrypted Data Encryption Key) ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Encrypted Vault ββ
β β (AES-256-GCM encrypted data) ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β IndexedDB ββ
β β (Local browser storage, never leaves) ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- User authenticates with passkey (biometric, PIN, or security key)
- PRF extension generates a 32-byte hardware-backed secret
- HKDF derives a Key Encryption Key (KEK) from PRF output
- KEK unwraps the Data Encryption Key (DEK)
- DEK decrypts the vault data using AES-256-GCM
- Node.js β₯ 22.0.0
- A WebAuthn-compatible browser (Chrome 118+, Safari 17+, Firefox 122+)
- A passkey-capable authenticator with PRF support
# Clone the repository
git clone <repository-url>
cd passwordless-encryption
# Install dependencies
npm install
# Start development server
npm run devOpen http://localhost:5173 in your browser.
# Build static files
npm run build
# Preview production build
npm run previewsrc/
βββ lib/
β βββ components/ # Svelte UI components
β β βββ layout/ # Layout components
β β βββ modals/ # Modal dialogs
β β βββ views/ # Page views
β βββ crypto/ # Cryptographic operations
β β βββ encryption.ts # AES-GCM encryption
β β βββ kdf.ts # Key derivation (HKDF)
β β βββ envelope.ts # Envelope encryption
β β βββ utils.ts # Crypto utilities
β βββ webauthn/ # WebAuthn/PRF handling
β β βββ prf.ts # PRF extension operations
β β βββ capabilities.ts # Browser capability detection
β β βββ types.ts # WebAuthn types
β βββ storage/ # Data persistence
β β βββ vault-storage.ts # IndexedDB operations
β β βββ schemas.ts # Data validation (Zod)
β β βββ types.ts # Storage types
β βββ services/ # Business logic
β βββ vault-service.ts # Main vault orchestration
βββ routes/
β βββ +layout.svelte # App layout
β βββ +page.svelte # Main page
βββ app.css # Tailwind CSS styles
| Script | Description |
|---|---|
npm run dev |
Start development server |
npm run build |
Build for production |
npm run preview |
Preview production build |
npm run test |
Run tests in watch mode |
npm run test:unit |
Run unit tests once |
npm run test:coverage |
Run tests with coverage |
npm run test:e2e |
Run Playwright E2E tests |
npm run lint |
Lint code with ESLint |
npm run format |
Format code with Prettier |
npm run check |
Type-check with svelte-check |
| Component | Algorithm | Key Size |
|---|---|---|
| Vault Encryption | AES-256-GCM | 256-bit |
| Key Derivation | HKDF-SHA256 | 256-bit |
| Key Wrapping | AES-KW | 256-bit |
| PRF Output | Hardware-specific | 256-bit |
- Hardware-backed keys: PRF output is generated by your authenticator's secure element
- No key storage: KEKs are derived on-demand, never stored
- Authenticated encryption: AES-GCM provides confidentiality + integrity
- Fresh IVs: Every encryption uses a cryptographically random 96-bit IV
- Content Security Policy: Strict CSP headers prevent XSS attacks
β Protected against:
- Server compromise (no server)
- Database breach (no database)
- Man-in-the-middle (client-side only)
- Brute force attacks (hardware rate limiting)
- Physical device access when vault is unlocked
- Malicious browser extensions
- Compromised operating system
The WebAuthn PRF extension requires modern browser support:
| Browser | Minimum Version | PRF Support |
|---|---|---|
| Chrome | 118+ | β Full |
| Edge | 118+ | β Full |
| Safari | 17+ | β Full |
| Firefox | 122+ |
- Platform authenticators: Windows Hello, Touch ID, Face ID, Android biometrics
- Roaming authenticators: YubiKey 5 series, other FIDO2 security keys with PRF support
MIT License β see LICENSE for details.
- WebAuthn PRF Extension β W3C specification
- SimpleWebAuthn β WebAuthn library
- NIST SP 800-57 β Key management recommendations