Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Security Architecture

MindSafe is designed with a “Trust No One” philosophy. We assume the host environment could be compromised, and therefore implement multiple layers of defense to ensure your data remains encrypted and inaccessible to unauthorized parties.

Key Management & Derivation

The security of your vault starts with your master password, but your password is never used directly as an encryption key.

  • Argon2id Hardening: We use Argon2id, the winner of the Password Hashing Competition, to derive a Key Encryption Key (KEK) from your password. This algorithm is specifically designed to resist GPU-based brute-force attacks by requiring significant memory and time to compute.
  • Unique Master Key: A high-entropy Master Key is generated locally on your device. This key is “wrapped” (encrypted) using the Argon2id-derived key.
  • Key Regeneration: You have the option to rotate/regenerate your internal keys without losing your data, providing a path to recovery if you believe your secondary keys have been exposed. (coming soon)

Tip

Always keep a physical backup of your master password in a safe place.

Data Encryption (At Rest)

Every piece of information MindSafe stores is cryptographically transformed into meaningless noise for anyone without the key.

  • XChaCha20-Poly1305: We utilize this modern, “authenticated” encryption AEAD (Authenticated Encryption with Associated Data). It doesn’t just hide your text; it ensures the data hasn’t been tampered with or corrupted.
  • Per-Note Encryption: MindSafe does not use a single “bulk” encryption for the whole database. Every individual note is encrypted with its own unique random nonce. This prevents pattern analysis attacks (where an attacker could guess content based on repeating encrypted blocks).
  • SQLite Security: While we use SQLite for its reliability, the data stored within the tables is already encrypted at the application level before it ever hits the disk.

Active Protection (In Motion)

Security isn’t just about files on a disk; it’s about protecting data while the app is running.

  • Safe Copy (Encrypted Clipboard): When you copy text within MindSafe, we protect the system clipboard. The data is copied in an encrypted state, preventing “Clipboard Listeners” (malicious background apps) from stealing your sensitive snippets. It only decrypts when pasted back into a secure MindSafe environment.
  • Memory Zeroization: Sensitive secrets, such as your decrypted Master Key or plaintext notes, are wrapped in specialized Rust containers that “zero out” (overwrite with zeros) the memory as soon as the object is dropped. This mitigates “Cold Boot” attacks and forensic memory analysis.
  • No Persistence of Secrets: Your master password is never saved to disk, not even in an encrypted form.

Caution

MindSafe follows a Zero-Knowledge architecture. We do not have a “Forgot Password” feature. We do not store your keys. If you lose your master password, your data is mathematically impossible to recover.

Auditability & Integrity

  • Encrypted Activity Logs: MindSafe maintains a local ledger of sensitive actions, such as login attempts, registration, and configuration changes. These logs are encrypted using the same standard as your notes, allowing you to review the history of your vault’s security.
  • Version History: To protect against accidental data loss or “ransomware-style” overwriting, MindSafe keeps a cryptographically signed history of note changes, allowing you to roll back to a known-safe state.

Network-Isolated Architecture

MindSafe is built on an “Offline-First, Privacy-Always” model. To ensure your data remains on your device, we implement strict boundaries regarding network connectivity:

  • User-Triggered Updates Only: The application does not maintain a persistent internet connection. It only communicates with the network (GitHub API) if, and only if, the user explicitly clicks the “Check for Updates” button.
  • No Automatic Background Calls: There are no “heartbeat” signals, telemetry pings, or background update checks. The application remains entirely dormant and offline until you manually request an update check.
  • Zero Data Exfiltration Path: The networking logic is strictly scoped to fetching version metadata and binaries from GitHub. There is no code path within the application capable of transmitting your database, notes, or encryption keys to a remote server.
  • Auditability: Because MindSafe is open-source, any developer can verify that the network stack is used exclusively for the update mechanism and is not integrated into the note-handling or storage modules.

Important

When checking for updates, MindSafe only transmits the current version string to GitHub to compare it against the latest release. No personal identifiers or usage statistics are shared during this process.