Security
Abolitus is designed around a browser-held master key, AES-256-GCM encrypted sync blobs, and direct-to-provider requests. The server is not trusted with plaintext content, local memory indices, or vault key material.
Live Encryption Demo
PLAINTEXT · YOUR BROWSER ONLY
I love you, always.
Data Flow
YOUR BROWSER
Master key lives here. Non-extractable WebCrypto CryptoKey. Never transmitted.
CLIENT-SIDE ENCRYPTION
AES-256-GCM with 1 KB padding applied before any network request leaves the device.
Server
NO READ ACCESSReceives only opaque ciphertext blobs. Cannot read content. Zero knowledge.
CLIENT-SIDE DECRYPTION
The same master key decrypts on arrival. Plaintext never leaves the browser.
YOUR BROWSER
You read your messages. LLM provider requests go directly from your browser — no proxy.
Master Key Derivation
Password + Mnemonic → PBKDF2-SHA-512
→ 256-bit AES-GCM master key
→ Imported as extractable: false
→ Raw bytes stay in memory only for mnemonic export
256-Bit Key Material
Non-extractable · WebCrypto API · In-browser only
Client-Side Trust Boundary
Prompt assembly, lorebook resolution, vault decryption, and API key handling stay inside the browser. Supabase stores encrypted blobs only.
Non-Extractable Crypto Keys
Vault and password-derived AES keys are imported as non-extractable WebCrypto keys. Raw bytes never leave the client.
Padded AES-GCM Blobs
Remote sync uploads padded AES-256-GCM blobs. 1 KB padding prevents content-length traffic analysis against the ciphertext.
Direct Provider Requests
API keys go directly from your browser to the LLM provider. No proxy. No log. Abolitus servers never see them.
Recommended Practice
— Use a dedicated browser profile to reduce extension exposure.
— Install the app as a PWA when possible to limit storage eviction risk.
— Never store your recovery phrase in the same profile that holds an unlocked session.
— Keep provider API keys local. They are sent directly from your browser to the provider.
Abolitus