Security Model

Key Man Out is built on a zero-knowledge security architecture, meaning the server never has access to your encrypted secrets. This document explains how the security model works and what you need to know to keep your assets safe.

Zero-Knowledge Architecture

What is Zero-Knowledge?

Zero-knowledge means that the Key Man Out server cannot decrypt or read your sensitive secrets, even if it wanted to. Your secrets (passwords, API keys, confidential text) and file attachments are encrypted on your device before being sent to the server, and they can only be decrypted by people who have the team's vault key phrase.

What Gets Encrypted:

• Asset secrets (the sensitive text content)
• File attachments

What Is NOT Encrypted (stored as plaintext for service functionality):

• Asset titles/names
• Asset instructions (markdown notes)
• Website URLs
• Guardian assignments
• Access request records
• Team names and settings

What This Means for You:

• The service operators (us) cannot read your secrets
• If the server is compromised, attackers cannot decrypt your secrets (though they could see asset metadata)
• If law enforcement requests data, we cannot provide unencrypted secrets
• You have true privacy and control over your sensitive information

The Tradeoff:

• If you lose your team vault key phrase, your encrypted secrets are gone forever
• We cannot reset or recover your vault key phrase for you
• You must carefully store your vault key phrase in a safe location

Team Vault Key Phrase

What is the Vault Key Phrase?

The vault key phrase is a password-like secret that encrypts all secrets and file attachments in your team. Every asset's sensitive content in a team shares the same vault key phrase, which means:

• All team members who need to view secrets must know the vault key phrase
• The vault key phrase can be rotated (changed) with multi-party approval (see Key Rotation below)
• Losing the vault key phrase means losing access to all encrypted secrets (though asset metadata remains accessible)

Creating a Strong Vault Key Phrase

When creating a team, you'll be prompted to enter a vault key phrase. Follow these guidelines:

Length:

• Minimum: 12 characters (enforced)
• Recommended: 20+ characters
• Better: 30+ characters or a passphrase

Complexity:

• Use a mix of uppercase, lowercase, numbers, and symbols
• Avoid common words, phrases, or patterns
• Don't use personal information (names, birthdays, etc.)

Examples:

❌ Weak: MyTeamPassword123

• Too short, predictable pattern

✅ Good: Tr0pic@l-F1sh!Sw1m_Deep#2024

• 32 characters, mixed case, numbers, symbols

✅ Better: correct horse battery staple umbrella fountain keyboard rainbow

• Passphrase with random words, easy to remember, very strong

Passphrase Method (Recommended):

1. Choose 5-7 random, unrelated words
2. Combine them with spaces or separators
3. Optionally add numbers or symbols
4. Example: purple elephant 7 dancing microwave sunset cloud

Storing Your Vault Key Phrase Safely

CRITICAL: Your vault key phrase must be stored somewhere safe and accessible. If you lose it, your encrypted secrets are permanently unrecoverable.

Safe Storage Options:

1. Password Manager (Recommended):
   • Store in 1Password, Bitwarden, LastPass, etc.
   • Ensure multiple team members have access
   • Use a master password that's also well-protected
2. Physical Safe:
   • Write on paper and store in a fireproof safe
   • Keep copies in multiple secure locations
   • Ensure trusted people know where to find it
3. Company Vault:
   • Store with other critical company credentials
   • Follow your organization's key management procedures
   • Ensure business continuity if key personnel leave

Unsafe Storage Options:

❌ Never Store:

• In plain text files on your computer
• In unsecured notes or documents
• In unencrypted email
• In Slack, Teams, or other chat apps
• In browser auto-fill (unless password manager)
• Written on a Post-it note on your desk

Vault Key Phrase Reminder Field

During team creation, you can optionally enter a key phrase reminder:

• This is a hint to help you remember the vault key phrase
• The reminder is stored on the server and shown when you need to unseal
• Never include the actual vault key phrase or obvious parts of it
• Use only vague hints that make sense to you

Examples:

If your key phrase is purple elephant 7 dancing microwave sunset cloud:

❌ Bad Reminder: purple elephant 7 dancing

• Too revealing, could help attackers

✅ Good Reminder: 7 random nouns from the zoo incident

• Meaningful to you, useless to attackers

If your key phrase is Tr0pic@l-F1sh!Sw1m_Deep#2024:

❌ Bad Reminder: tropical fish 2024

• Gives away too much information

✅ Good Reminder: vacation memory from last summer

• Only you know what that means

Client-Side Encryption

How It Works

All encryption and decryption of secrets happens in your web browser using the Web Crypto API:

1. When You Create/Edit an Asset:
   • You enter the secret content in your browser
   • Your browser encrypts the secret using the team vault key phrase
   • Only the encrypted secret is sent to the server
   • The server stores the encrypted secret without knowing the vault key phrase
   • Asset metadata (title, instructions, website URL) is sent and stored unencrypted
2. When You View a Secret:
   • The server sends the encrypted secret to your browser
   • Your browser decrypts it using the team vault key phrase from session storage
   • The decrypted secret is shown to you
   • The server never sees the decrypted content

Encryption Algorithm

Key Man Out uses AES-256-GCM (Advanced Encryption Standard, 256-bit, Galois/Counter Mode):

• AES-256: Industry-standard symmetric encryption, approved by NIST
• 256-bit: Provides extremely strong security (2²⁵⁶ possible keys)
• GCM Mode: Provides both encryption and authentication (prevents tampering)
• PBKDF2: Key derivation with 100,000 iterations (makes brute-force attacks harder)

Technical Details:

• Key derivation: PBKDF2-SHA256 with 100,000 iterations
• Random salt: 16 bytes per asset (ensures unique encryption)
• Random IV: 12 bytes per asset (prevents pattern analysis)
• Authentication: Built into GCM mode

What Gets Encrypted with the Vault Key Phrase

Encrypted Data (stored encrypted on server, requires vault key phrase to access):

• Asset secret content (passwords, API keys, confidential text)
• Asset file attachments (the file content itself)

Unencrypted Data (stored in plain text on server, accessible without unsealing):

• Asset name/title
• Asset website URL
• Asset instructions (markdown notes)
• File attachment metadata (name, size, type)
• Guardian assignments
• Access request records
• Team name and settings

Why Not Encrypt Everything with the Vault Key Phrase?

• You need to be able to browse and identify assets without unsealing
• Access control and permissions need to work without decryption
• Instructions should be readable to help Successors understand when to request access
• Service functionality (notifications, audit trails) requires some accessible metadata

Sealed and Unsealed States

Team Sealing Concept

A team is like a physical vault with two states:

• Sealed (🔒): Vault is locked, you cannot view encrypted secrets
• Unsealed (🔓): Vault is open, you can view and edit encrypted secrets

Sealed State

When a team is sealed:

• You can browse asset names, websites, and instructions (unencrypted metadata)
• You cannot view encrypted secret content
• You cannot edit asset secrets (because editing requires re-encryption)
• The vault key phrase is not in your browser's memory
• Maximum security for secrets - even if your computer is compromised, encrypted content is safe

When Sealed:

• Immediately after login
• After 30 minutes of inactivity (auto-reseal)
• When you manually click "Reseal Vault"
• When you close your browser or tab

Unsealing a Team

To unseal a team and view secrets:

1. Click "Unseal Vault" button in the sidebar
2. Enter your team vault key phrase
3. The vault key phrase is verified against a hash (stored on server)
4. If correct, the vault key phrase is stored in browser session storage
5. The team shows as "Unsealed" with a countdown timer
6. You can now view and edit encrypted asset secrets

Security Notes:

• The vault key phrase is verified using a hash, not by attempting decryption
• The vault key phrase is only stored in session storage (cleared when browser closes)
• Session storage is isolated per browser tab (other tabs don't have access)
• The server never receives the actual vault key phrase during unsealing

Auto-Reseal After 30 Minutes

For security, the vault automatically reseals after 30 minutes of inactivity:

• A countdown timer shows remaining time in the sidebar
• When time expires, the vault key phrase is removed from session storage
• You must unseal again to view secrets
• Any unsaved work is preserved (see Persistent Editor below)

Why 30 Minutes?

This balances security with usability:

• Short enough that forgotten open sessions don't pose long-term risk
• Long enough that you're not constantly re-entering the key phrase
• You can manually reseal earlier if you're leaving your desk

Manual Resealing

You can reseal the vault at any time:

1. Click the "Reseal Vault" button in the sidebar
2. The vault key phrase is immediately removed from session storage
3. You can no longer view encrypted secrets until you unseal again

When to Manually Reseal:

• Before stepping away from your computer
• When finished working with sensitive data
• If you suspect someone is watching your screen
• At the end of your work session

Key Rotation

Key rotation allows you to change your team's vault key phrase without losing access to your encrypted secrets. This is essential for maintaining security when:

• An employee with vault key phrase knowledge leaves the organization
• You suspect the vault key phrase may have been compromised
• Your security policy requires periodic key rotation
• You want to upgrade to a stronger vault key phrase

How Key Rotation Works

Key rotation is a multi-step, multi-party process designed to ensure security:

1. Initiation: A team owner or admin initiates the rotation by providing the current vault key phrase and proposing a new one
2. Approval: All other team owners/admins must independently enter the new vault key phrase to verify they have it
3. Execution: Once all approvals are received, the initiator's browser decrypts all secrets with the old key and re-encrypts them with the new key
4. Atomic Commit: All re-encrypted secrets are committed to the server atomically, along with the new key hash

Important: The server never sees either the old or new vault key phrase—only their hashes. All decryption and re-encryption happens in your browser.

Starting a Key Rotation

1. Navigate to Team Settings > Security
2. Click Rotate Key Phrase
3. Enter your current vault key phrase (to prove you have access)
4. Enter and confirm the new vault key phrase (minimum 12 characters)
5. Optionally set a new key reminder
6. Acknowledge that you've shared the new key with approvers
7. Click Request Rotation

For single-owner teams, the rotation proceeds immediately. For teams with multiple owners/admins, the rotation enters the approval phase.

Approving a Key Rotation

When another admin initiates a rotation:

1. You'll see a notification in the Team Settings > Security section
2. Click Approve Rotation
3. Enter the new vault key phrase that was shared with you (through a secure channel)
4. The system verifies your vault key phrase matches the initiator's
5. If it matches, your approval is recorded

Security Note: The initiator should share the new vault key phrase through a secure out-of-band channel (in person, encrypted message, password manager share)—never through regular email or chat.

Executing the Rotation

Once all required approvals are received:

1. The initiator sees a Ready to Execute status
2. Click Execute Rotation
3. Enter both the old and new vault key phrases
4. The browser downloads all encrypted secrets
5. Each secret is decrypted with the old key and re-encrypted with the new key
6. Progress is displayed during the process
7. All re-encrypted secrets are committed atomically

Warning: Do not close the browser window during execution. The process cannot be interrupted safely.

Safeguards and Limits

• 24-Hour Cooldown: You can only rotate once every 24 hours
• 48-Hour Expiration: Pending rotations expire if not completed within 48 hours
• 1-Hour Execution Timeout: If execution stalls for more than 1 hour, the rotation is marked as failed
• Hash Verification: All approvers must enter the exact same new vault key phrase
• Atomic Commit: Either all secrets are updated or none are—no partial updates

After Rotation

• All team members will need the new vault key phrase to unseal the vault
• The old vault key phrase will no longer work
• Previously viewed secrets may need to be re-accessed with the new key
• The rotation is logged in the team's security history
• A notification is sent to all team members

Best Practices for Key Rotation

1. Communicate First: Ensure all team members know a rotation is planned
2. Use Secure Channels: Share the new vault key phrase in person or via encrypted message
3. Verify Approvers: Confirm each approver received the correct new vault key phrase
4. Time It Right: Rotate during low-activity periods to minimize disruption
5. Update Storage: After rotation, update your password manager and any physical records with the new vault key phrase

Access Control and Permissions

Who Can View Secrets?

The Guardian System controls who can view encrypted secrets:

1. Custodians: Always have access (they created the asset)
2. Gatekeepers: Never have access (even with approved request)
3. Successors: Only with an approved access request

See Guardian System for full details on roles.

Access Request Security

When a Successor requests access:

• The request is logged with timestamp, IP address, and location
• All guardians are notified via email
• Access requires approval (manual, time-delay, or DNS verification)
• Once approved, access is permanent until revoked

This ensures:

• No unauthorized access to secrets
• Audit trail of all access attempts
• Multiple people are aware of access grants
• Custodians can monitor who views their secrets

Secret Access Logging

Every time someone views an encrypted secret:

• Who: User identity
• When: Timestamp (date and time)
• Where: IP address and geographic location (if available)
• What: Which asset was accessed

Custodians receive email notifications including this information, allowing them to:

• Monitor access to their sensitive data
• Detect unauthorized access
• Build an audit trail for compliance
• Identify suspicious patterns

Note: Access logging only tracks viewing the secret, not:

• Viewing asset name, website, or instructions
• Browsing the asset list
• Editing asset metadata (since that requires the secret to be re-encrypted, it's inherently logged)

File Attachment Security

File attachments are encrypted using the same client-side encryption as secrets:

1. Upload:
   • You select a file in your browser
   • Your browser encrypts it using the team vault key phrase
   • The encrypted file is uploaded to S3-compatible storage
   • Original filename and file type are preserved as unencrypted metadata (but file content is encrypted)
2. Download:
   • Your browser downloads the encrypted file
   • Your browser decrypts it using the team vault key phrase from session storage
   • The decrypted file is saved to your computer

Security Notes:

• File content is fully encrypted with the vault key phrase
• File metadata (name, type, size) is stored in plain text for browsing without unsealing
• Large files are handled efficiently (no size limit from encryption)
• Multiple attachments per asset are supported

Authentication and Account Security

Login Methods

Key Man Out supports multiple secure authentication methods:

1. OAuth Providers:
   • Google
   • Apple
   • GitHub
   • Uses proven, secure authentication systems
   • Eliminates password management
2. WebAuthn / Passkeys:
   • Hardware security keys (YubiKey, etc.)
   • Biometric authentication (Touch ID, Face ID)
   • Most secure option available
   • Recommended for high-security accounts
3. Magic Links:
   • Email-based authentication
   • Click link to log in without password
   • Convenient for occasional access
4. Password (Optional):
   • Traditional email/password authentication
   • Requires strong password
   • Can be combined with other methods
5. SMS (Optional):
   • Phone number verification
   • One-time codes via text message
   • Additional security layer

Account Security Best Practices

1. Enable Passkeys:
   • Go to Account Settings → Passkey
   • Register your device's biometric or security key
   • Most secure way to prevent account takeover
2. Use OAuth Providers:
   • Google, Apple, or GitHub accounts often have better security than custom passwords
   • Enable 2FA on your OAuth provider account
3. Monitor Login Activity:
   • Check for login notification emails
   • Report suspicious activity immediately
4. Keep Email Secure:
   • Your email account is the master key to your Key Man Out account
   • Use strong password and 2FA on your email
   • Monitor for unauthorized access

Network Security

HTTPS Encryption

All communication between your browser and the Key Man Out server uses HTTPS (TLS 1.2+):

• Encrypts data in transit
• Prevents man-in-the-middle attacks
• Ensures you're connecting to the real server
• Look for the padlock icon in your browser

API Security

All API requests are:

• Authenticated with session cookies (HttpOnly, Secure, SameSite)
• Protected against CSRF attacks
• Validated for proper authorization
• Rate-limited to prevent abuse

Threat Model

What Key Man Out Protects Against

✅ Server Compromise:

• If our server is hacked, your secrets remain encrypted
• Attackers cannot decrypt without team vault key phrases
• Asset metadata (titles, instructions) would be visible, but sensitive content stays protected

✅ Database Breach:

• If the database is stolen, secrets are encrypted
• Vault key phrases are hashed and cannot be reversed

✅ Insider Threats:

• Service operators cannot read your secrets
• Employees cannot access encrypted content

✅ Network Eavesdropping:

• HTTPS protects data in transit
• Encrypted secrets are useless without vault key phrase

✅ Unauthorized Access:

• Guardian system controls who can view secrets
• Access requests provide audit trail

What Key Man Out Does NOT Protect Against

❌ Compromised User Device:

• If your computer has malware, it could capture your vault key phrase when you type it
• If your browser is compromised, it could steal decrypted secrets
• Mitigation: Use antivirus, keep software updated, be careful what you install

❌ Lost Vault Key Phrase:

• If you lose your team vault key phrase, encrypted secrets are unrecoverable
• No backdoor or recovery mechanism exists
• Mitigation: Store vault key phrase in multiple secure locations

❌ Weak Vault Key Phrase:

• If your vault key phrase is easy to guess, attackers could brute-force it
• Short or common passwords can be cracked
• Mitigation: Use strong, long, random vault key phrases

❌ Social Engineering:

• If an attacker tricks you into sharing your vault key phrase, they can decrypt your secrets
• Phishing emails or fake login pages could steal credentials
• Mitigation: Verify URLs, don't share vault key phrases, enable passkeys

❌ Physical Access to Unsealed Session:

• If you leave your computer unlocked with the vault unsealed, anyone can view secrets
• Mitigation: Manually reseal when stepping away, enable screen lock

❌ Asset Metadata Exposure:

• Asset titles, instructions, and website URLs are not encrypted with the vault key phrase
• In a server compromise, this metadata could be exposed
• Mitigation: Avoid putting sensitive information in asset titles or instructions

Best Practices Summary

For Maximum Security

1. Use a Strong Vault Key Phrase:
   • 20+ characters or 5+ word passphrase
   • Random, unguessable
   • Store in multiple secure locations
2. Enable Passkeys:
   • Hardware security keys or biometric authentication
   • Prevents password-based attacks
3. Seal When Not in Use:
   • Manually reseal when stepping away
   • Don't leave vault unsealed overnight
4. Monitor Access:
   • Review secret access notifications
   • Investigate suspicious activity
5. Secure Your Devices:
   • Use antivirus and anti-malware
   • Keep operating system and browser updated
   • Enable disk encryption
6. Limit Successors:
   • Only grant Successor access to people who truly need it
   • Review and remove unnecessary guardians regularly
7. Be Mindful of Metadata:
   • Asset titles and instructions are not encrypted with the vault key phrase
   • Avoid putting sensitive information in these fields
   • Use generic titles if maximum privacy is needed
8. Communicate:
   • Ensure team members understand the security model
   • Document when access requests are appropriate
   • Respond quickly to legitimate emergencies

For Convenience

1. Use Password Manager:
   • Store your team vault key phrase in a trusted password manager
   • Easier than memorizing, still secure if password manager is secured
2. Set Up Multiple Successors:
   • Ensure business continuity if key personnel are unavailable
   • Use time-delay approval for predictable access
3. Document Instructions:
   • Use asset instructions to explain when access is needed
   • Reduces confusion during emergencies

Frequently Asked Questions

Q: Can Key Man Out recover my vault key phrase if I lose it? A: No. Due to the zero-knowledge architecture, we cannot recover, reset, or decrypt your vault key phrase. If you lose it, your encrypted secrets are permanently lost (though asset metadata remains accessible).

Q: What happens if Key Man Out gets hacked? A: Your encrypted secrets remain encrypted. Without your team vault key phrase, attackers cannot decrypt your secrets. However, they would see asset names, instructions, websites, and guardian assignments (unencrypted metadata).

Q: Can government agencies force Key Man Out to provide my data? A: We can provide encrypted secrets and unencrypted metadata if legally required, but we cannot decrypt your secrets. Only you have the vault key phrase needed for decryption.

Q: How do I change my team vault key phrase? A: Use the Key Rotation feature in Team Settings > Security. This requires approval from all team owners/admins, who must each independently verify the new vault key phrase. The rotation re-encrypts all secrets with the new vault key phrase. See Key Rotation for details.

Q: Is the encryption strong enough? A: Yes. AES-256-GCM is the industry standard used by governments, militaries, and major tech companies. It's approved by NIST and considered unbreakable with current technology.

Q: What if I suspect my vault key phrase was compromised? A: Use the Key Rotation feature to immediately rotate to a new vault key phrase. All team owners/admins must approve the rotation. Also change any credentials stored in potentially compromised assets.

Q: Can I use the same vault key phrase for multiple teams? A: Technically yes, but we don't recommend it. Each team should have a unique vault key phrase to limit the impact of a compromise.

Q: How is the vault key phrase verified when I unseal? A: We store a hash (SHA-256) of your vault key phrase. When you unseal, your browser hashes your input and compares it to the stored hash. The actual vault key phrase is never sent to the server.

Q: Why 30 minutes for auto-reseal? A: This balances security with usability. It's short enough to limit exposure, but long enough to avoid constant re-entry. You can manually reseal earlier if needed.

Q: What's the difference between the team vault key phrase and my login password? A: Your login password (or OAuth, passkey, etc.) authenticates your identity and grants access to the service. The team vault key phrase encrypts the actual secrets. You need both to view secrets.

Q: What exactly is encrypted vs. not encrypted? A: Asset secrets (passwords, API keys, confidential text) and file attachments are encrypted with your vault key phrase. Asset metadata (titles, instructions, website URLs, guardian assignments) is NOT encrypted and is accessible to our systems for service functionality.

Related Documentation

• Guardian System - Role-based access control
• Access Requests - How Successors gain access to secrets