Security Architecture
Overview
ID Wispera is built on four security principles:- Local-first — Credentials never leave your machine unless explicitly shared.
- Zero-knowledge — Sharing uses client-side encryption; the server never sees plaintext.
- Audit everything — Complete visibility into credential usage.
- Policy enforcement — Declarative rules prevent unauthorized access.
Encryption
Vault Encryption
| Parameter | Value |
|---|---|
| Algorithm | AES-256-GCM |
| Key Derivation | PBKDF2 with SHA-256 (100,000 iterations) |
| Salt | 32 bytes, randomly generated per vault |
| IV | 12 bytes, randomly generated per encryption operation |
Key Derivation
At-Rest Encryption
The vault file contains:| Component | Encrypted |
|---|---|
| Version number | No |
| Salt | No |
| IV | No |
| Passport data | Yes |
| Audit log | Yes |
| Metadata (creation time, passport count) | No |
Only passport data and the audit log are encrypted. Metadata such as version, salt, IV, creation time, and passport count are stored in plaintext to support vault unlocking and basic introspection without the passphrase.
In-Transit Encryption (Sharing)
Share links use:- A fresh AES-256-GCM key generated per share
- The key is sent separately from the encrypted payload
- Optional time-based and view-count limits
Threat Model
What We Protect Against
- Credential Theft — Encrypted at rest, memory cleared after lock, no plaintext in logs.
- Unauthorized Access — Passphrase required, policy enforcement, audit trail.
- Credential Misuse — Scope limitations, expiration enforcement, revocation capability.
- Audit Trail Tampering — Append-only log, encrypted with vault.
- Accidental Exposure — Credential detection, masked display,
.gitignoretemplates.
What We Don’t Protect Against
- Compromised Master Passphrase — If an attacker obtains your passphrase, they can decrypt the vault.
- Compromised Machine — A fully compromised machine gives an attacker access to everything the user can access.
- Memory Attacks — Sophisticated memory-forensics attacks may recover decrypted data from RAM.
- Social Engineering — ID Wispera cannot prevent a user from being tricked into sharing credentials.
Security Best Practices
Passphrase Security
- Minimum 12 characters recommended
- Mix of character types (uppercase, lowercase, digits, symbols)
- Unique to ID Wispera — do not reuse passwords
- Store in a password manager
- Never commit to version control
Vault Security
- Store on an encrypted filesystem
- Maintain regular backups (the backup is already encrypted)
- Limit file permissions:
- Do not share the vault file directly — use the secure sharing workflow instead
Credential Hygiene
- Set expiration dates on all passports
- Rotate credentials regularly
- Revoke unused credentials promptly
- Use the minimum required scope
- Tag credentials for organization
Operational Security
- Review audit logs regularly
- Monitor for suspicious activity
- Keep ID Wispera updated to the latest version
- Use the MCP server for agent access instead of exposing credentials directly
Security Features
Credential Detection
ID Wispera includes built-in detection for 30+ credential patterns (API keys, tokens, connection strings, and more) to prevent accidental exposure.Policy Enforcement
The policy engine supports:- Human owner requirements
- Maximum validity periods
- Delegation depth limits
- Visa type restrictions
Secure Sharing
- Zero-knowledge, client-side encryption
- Time-limited and view-limited share links
- No plaintext credentials on the server
Reporting Security Issues
If you discover a security vulnerability, please email [email protected] with:- A description of the vulnerability
- Steps to reproduce
- Potential impact assessment
Please do not open public issues for security vulnerabilities. We will acknowledge your report within 48 hours.