LockBox
About
LockBox is a secure, end-to-end encrypted secret sharing service. It allows sharing secrets with other people, without having to worry about your data being compromised.
When sharing a secret, the data is encrypted directly on-device. The encrypted data is then securely stored on our server. The recipient can access the secret by entering the password and decrypting the data on their device. After the secret has been decrypted, it is deleted from the server and can no longer be accessed.
Lessons learned
LockBox was an interesing project to learn more about encryption in the browser. The encryption is done using the WebCrypto API and an optional polyfill for older browsers.
The goal was to create an encryption that is effective even with a compromised database or download link. To improve preventing brute-force, the encryption password is derived from hashing the user's password numerous times. This requires modern hardware and browsers 3-5 seconds to decrypt the secret, but makes brute-force attacks more infeasible.