| id |
title |
status |
assignee |
created_date |
updated_date |
labels |
dependencies |
references |
priority |
| TASK-86 |
Encrypted server-side account vault for EncryptID |
Done |
|
2026-03-03 19:15 |
2026-03-03 19:15 |
| encryptid |
| security |
| feature |
|
|
| src/encryptid/vault.ts |
| src/encryptid/server.ts |
| shared/local-first/crypto.ts |
| server/local-first/backup-routes.ts |
|
high |
Description
Zero-knowledge vault stores all EncryptID account data (profile, emails, devices, addresses, wallets, preferences) as a single AES-256-GCM encrypted JSON blob via the backup API. Key derived deterministically from WebAuthn PRF via HKDF — same passkey = same key on any device. Server never sees plaintext.
Acceptance Criteria
Final Summary
Files Created\n- src/encryptid/vault.ts — VaultManager class, AccountVault interface, singleton pattern\n\n## Files Modified\n- src/encryptid/index.ts — Export vault types and functions\n- src/encryptid/ui/login-button.ts — Load vault after auth, clear on logout\n- src/encryptid/server.ts — Dashboard vault section, checklist item, inline crypto functions (deriveVaultKey, saveVault, restoreVault, checkVaultStatus)\n\n## Key Design\n- Vault key: Master PRF → HKDF("rspace:__vault") → HKDF("doc:account-vault") → AES-256-GCM\n- Dashboard uses inline WebCrypto (not VaultManager import) since dashboard auth doesn't initialize DocCrypto\n- Save/restore require biometric re-auth for security\n\nCommit: e2e12af, deployed to production.