What is Perfect Forward Secrecy (PFS)?

Perfect Forward Secrecy (PFS) is an advanced security feature where every single file in your vault is encrypted with its own unique, temporary key. This ensures that a compromise of one file does not affect the security of any other file.

An Analogy: A Hotel with Unique Keys

Imagine a standard secure app is like a hotel where every room is opened by the same master key. If an attacker steals that one master key, they can get into every single room.

UltraLocked, using Perfect Forward Secrecy, is like a hotel where every door has a completely different key. If an attacker manages to steal the key to Room 101, they still have no way to get into Room 102, 103, or any other room.

How UltraLocked Implements PFS

Every time you add a file to your vault, the following happens:

Ephemeral Key Pair Generation: A brand new, temporary (ephemeral) key pair is generated just for this one encryption operation.
Shared Secret Derivation: This temporary key interacts with your master hardware key inside the Secure Enclave to create a one-time-use shared secret.
File Key Creation: This shared secret is then used to generate the final encryption key that scrambles your file's data.
Destruction of Intermediates: Once the file is encrypted, the ephemeral key pair and the shared secret are securely destroyed from memory.

The only things stored are the encrypted file itself and the public half of the temporary key, which is useless without the private half that was destroyed.

The Security Benefit

This process means that even if an attacker could somehow break the encryption on a single file and figure out its key, that knowledge would be completely useless for decrypting any other file in your vault. Each file is its own isolated fortress.

This commitment to Perfect Forward Secrecy provides a robust defense against future attacks and ensures the long-term security and integrity of your entire vault. For more technical details, please refer to our Security Whitepaper.