Sync security
Astros sync is end-to-end encrypted. The server stores opaque ciphertext; your passphrase, encryption keys, and plaintext data never leave your device.
Design
Section titled “Design”- Data Encryption Key (DEK) — random 32-byte key generated client-side on first activation. Encrypts every sync blob.
- Key Encryption Key (KEK) — derived from your passphrase via Argon2id (libsodium
crypto_pwhash, MODERATE limits). Wraps the DEK. - Ciphertext — XSalsa20-Poly1305 (
crypto_secretbox). Salt + nonce stored alongside. - Recovery — at setup we generate a 24-word BIP39 phrase that derives a separate KEK to unwrap the DEK. Save it offline; we show it once.
The /api/sync/push endpoint accepts only ciphertext — there is no decryption path on the server.
Threat model
Section titled “Threat model”| Threat | Protection |
|---|---|
| Server compromise / hostile operator | Cannot decrypt your data without your passphrase. |
| Lost passphrase | Recover with the 24-word phrase. |
| Lost passphrase and lost recovery phrase | Data is unrecoverable by design. |
| Compromised passphrase | Attacker who also obtains a server snapshot can decrypt. Rotate the passphrase via Preferences. |
| Compromised device | All on-device data is exposed. Use disk encryption. |
Open questions we’re working on
Section titled “Open questions we’re working on”- Hardware-bound wrap (Touch ID / Windows Hello) for the most sensitive secrets.
- Open-source publishing of the sync/crypto module for independent review.