{"id":50486922,"url":"https://github.com/systemslibrarian/crypto-lab-shadow-vault","last_synced_at":"2026-06-01T23:02:52.705Z","repository":{"id":349145989,"uuid":"1200984170","full_name":"systemslibrarian/crypto-lab-shadow-vault","owner":"systemslibrarian","description":"Deniable encryption — one container, two passphrases, two messages. The real one and the decoy. No way to prove which is which.","archived":false,"fork":false,"pushed_at":"2026-04-06T16:15:54.000Z","size":310,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-06T18:17:25.876Z","etag":null,"topics":["aead","argon2id","chacha20-poly1305","deniable-encryption","key-derivation","rust-wasm","sha256","wasm-crypto"],"latest_commit_sha":null,"homepage":"https://systemslibrarian.github.io/crypto-lab-shadow-vault/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/systemslibrarian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":"THREAT_MODEL.md","audit":"AUDIT.md","citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-04T04:06:43.000Z","updated_at":"2026-04-06T16:15:58.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/systemslibrarian/crypto-lab-shadow-vault","commit_stats":null,"previous_names":["systemslibrarian/shadow-vault","systemslibrarian/crypto-lab-shadow-vault"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/systemslibrarian/crypto-lab-shadow-vault","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-shadow-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-shadow-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-shadow-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-shadow-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/systemslibrarian","download_url":"https://codeload.github.com/systemslibrarian/crypto-lab-shadow-vault/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-shadow-vault/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33797128,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-01T02:00:06.963Z","response_time":115,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aead","argon2id","chacha20-poly1305","deniable-encryption","key-derivation","rust-wasm","sha256","wasm-crypto"],"created_at":"2026-06-01T23:02:51.848Z","updated_at":"2026-06-01T23:02:52.698Z","avatar_url":"https://github.com/systemslibrarian.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Shadow Vault\n\n**Deniable encryption — two messages, one container, no trace.**\n\n## 1. What It Is\n\nShadow Vault is a browser demonstration of deniable encryption that combines Argon2id key derivation, ChaCha20-Poly1305 AEAD encryption, and SHA-256 salt derivation in a fixed-size random container. It solves the problem of plausibly revealing one decryptable message while keeping a second message hidden in the same blob without headers or structural markers. The cryptographic core is symmetric encryption with password-based key derivation, executed in Rust/WASM through a Web Worker. It is not asymmetric, threshold, or zero-knowledge cryptography, and it is not positioned as production deniable storage.\n\n## 2. When to Use It\n\n- Use it to teach deniable-encryption mechanics, because the UI exposes Argon2id memory/iteration/parallelism and shows how slot offsets are derived from passphrases.\n- Use it for controlled demos of coercion scenarios, because one passphrase decrypts a plausible decoy while another decrypts the real payload.\n- Use it to experiment with passphrase-cost tuning, because Argon2id settings directly change derivation cost and brute-force resistance.\n- Do not use it for high-assurance operational secrecy, because browser runtime risks and JavaScript passphrase handling are explicitly called out in the threat model.\n\n## 3. Live Demo\n\nLive demo: [https://systemslibrarian.github.io/crypto-lab-shadow-vault/](https://systemslibrarian.github.io/crypto-lab-shadow-vault/)\n\nThe demo lets you encrypt and decrypt containers end-to-end in the browser. In encrypt mode, you enter real and decoy passphrases/messages, choose container size (4/8/16/32 KB), and tune Argon2id parameters (memory, iterations, parallelism). In decrypt mode, you upload a vault file and try a passphrase to open whichever message that passphrase maps to.\n\n## 4. What Can Go Wrong\n\n- Passphrase reuse across multiple containers can break deniability, because deterministic key/nonce/offset derivation enables cross-container analysis and two-time-pad style leakage.\n- Weak real or decoy passphrases collapse the model, because brute-forcing either passphrase can expose both slot locations and messages.\n- JavaScript string handling is an implementation pitfall, because passphrases enter the app as immutable JS strings that cannot be securely zeroized like WASM buffers.\n- Unicode normalization mismatches can lock users out, because visually identical passphrases may encode to different UTF-8 byte sequences on different platforms.\n- A non-plausible decoy undermines coercion resistance, because deniable encryption relies on the revealed message being believable to an adversary.\n\n## 5. Real-World Usage\n\n- TLS (including TLS 1.3 and TLS 1.2 ChaCha20-Poly1305 suites) uses ChaCha20-Poly1305 as an authenticated encryption option for transport security.\n- QUIC/HTTP-3 deployments commonly rely on TLS 1.3 cipher suites that include ChaCha20-Poly1305, especially on devices without AES acceleration.\n- WireGuard uses ChaCha20-Poly1305 for packet encryption and authentication in its Noise-based protocol design.\n- OpenSSH supports chacha20-poly1305@openssh.com to provide authenticated stream encryption for SSH sessions.\n- libsodium exposes Argon2id via crypto_pwhash for password hashing and key derivation in real applications.\n\n## Related Projects\n\n| Project | Description |\n|---------|------------|\n| [phantom-vault](https://systemslibrarian.github.io/phantom-vault/) | Argon2id + HMAC-DRBG stateless password generation |\n| [corrupted-oracle](https://systemslibrarian.github.io/corrupted-oracle/) | ChaCha20-DRBG + Dual_EC backdoor demonstration |\n\n## Documentation\n\n| Document | Description |\n|----------|-------------|\n| [SPEC.md](SPEC.md) | Container format specification — derivation rules, slot layout, collision resolution, pinned test vectors |\n| [THREAT_MODEL.md](THREAT_MODEL.md) | Security boundaries, trust model, deniability constraints, honest limitations |\n| [SECURITY.md](SECURITY.md) | Security review checklist for auditors — zeroization, format integrity, failure indistinguishability |\n\n*\"So whether you eat or drink or whatever you do, do it all for the glory of God.\" — 1 Corinthians 10:31*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsystemslibrarian%2Fcrypto-lab-shadow-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsystemslibrarian%2Fcrypto-lab-shadow-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsystemslibrarian%2Fcrypto-lab-shadow-vault/lists"}