Documentation

Security Guide

Cryptica is built with security as a foundational principle. This guide explains our security architecture, the measures we've implemented to protect your data, and best practices for using Cryptica securely.

Zero-Knowledge Design

Cryptica is designed as a zero-knowledge application. This means we never have access to your sensitive data, encryption keys, or passwords. All encryption and decryption operations happen locally on your device.

Security Architecture

Client-Side Processing

All sensitive operations in Cryptica are performed client-side (in your browser or app), which means:

  • Your data never leaves your device in unencrypted form
  • Encryption and decryption keys are never transmitted
  • Generated passwords remain exclusively on your device
  • Even if our servers were compromised, your data would remain secure

Encryption Standards

Cryptica uses industry-standard, battle-tested encryption algorithms:

  • AES-256: Advanced Encryption Standard with 256-bit key length for symmetric encryption
  • PBKDF2: Password-Based Key Derivation Function 2 for secure key generation from passwords
  • Secure Random Generation: Cryptographically secure random number generation for passwords and encryption keys

Data Storage

Cryptica offers flexible data storage options while maintaining security:

  • Local Storage: By default, your data is stored only on your device using browser local storage.
  • Optional Synchronization: If enabled, data is encrypted before being synchronized to your chosen database.
  • Encrypted Synchronization: All synchronized data is encrypted with your master key, which is never sent to the server.

Key Security Features

Automatic Clipboard Clearing

When enabled, Cryptica automatically clears sensitive data from your clipboard after a configurable time period to prevent accidental exposure.

Password Visibility Control

All sensitive fields have visibility toggles, allowing you to control when passwords and encrypted content are visible on screen.

Offline Capability

Once installed, Cryptica can work offline with these capabilities:

Open Source

Cryptica's code is open source, allowing security experts to verify our security claims and implementation.

User Security Best Practices

While Cryptica is designed to be secure, following these practices will further enhance your security:

  1. Use a Strong Master Password: If you enable synchronization, your master password is your main line of defense. Make it strong and unique.
  2. Secure Your Device: Keep your device secure with up-to-date software, anti-malware protection, and screen locks.
  3. Keep Your Browser Updated: Ensure you're using the latest version of your browser to benefit from security patches.
  4. Verify HTTPS Connection: Always ensure you're accessing Cryptica over a secure HTTPS connection.
  5. Clear Browser Data When Needed: On shared devices, consider clearing your browser data after using Cryptica.

Security FAQ

Is my data safe if I use database synchronization?

Yes. When synchronization is enabled, all data is encrypted with your master key before being sent to the database. The encryption key never leaves your device, making it impossible for anyone (including database administrators) to access your actual data.

Can Cryptica recover my data if I forget my master password?

No. Due to the zero-knowledge design, we have no way to recover your data if you forget your master password. There are no backdoors or recovery mechanisms. This ensures maximum security but requires you to remember your master password.

How does Cryptica protect against brute force attacks?

Cryptica uses strong key derivation functions (PBKDF2) with multiple iterations to slow down brute force attempts. Additionally, all encryption operations are performed client-side, which means an attacker would need direct access to your device to attempt brute forcing.

Is it safe to use Cryptica on a public computer?

While Cryptica is designed to be secure, we generally recommend against using any security tool on public computers, as they may have keyloggers or other malware installed. If you must use a public computer, ensure you clear the browser data afterward and consider changing any passwords you accessed.

Security Audits and Compliance

We are committed to maintaining the highest security standards:

  • Regular security audits of our codebase and infrastructure
  • Transparent disclosure of security issues and fixes
  • Continuous monitoring for new security threats and vulnerabilities
  • Compliance with relevant data protection regulations
Back to Documentation
Security