docs: pin keyfile.rs/second_factor citations; state the second factor is never pushed to the remote

This commit is contained in:
adlee-was-taken
2026-06-26 22:24:57 -04:00
parent 201bf05adc
commit 73877bad78
3 changed files with 5 additions and 5 deletions

View File

@@ -22,6 +22,8 @@ Both containers hold the second-factor secret **in the clear** — they are the
- **Reference image** (`reference.jpg`): the 32-byte secret is embedded in the JPEG DCT coefficients. The file itself is not encrypted. In the browser extension the image bytes are stored as `imageBase64` in `chrome.storage.local` — also in the clear.
- **Key file** (`.relkey`): the 32-byte secret is base64-encoded in a plain text file. The file itself is not encrypted. In the browser extension the key-file bytes are stored as `keyfileBase64` in `chrome.storage.local` — also in the clear.
Neither container is ever committed to the vault repository or pushed to the git remote: the reference JPEG / `.relkey` lives only on your devices (a local file you safeguard for the CLI, `chrome.storage.local` for the extension). The server's repository holds only the `.enc` ciphertext, the non-secret salt, and KDF params — never the second factor.
The key file is **not weaker** than the reference image. Both containers are protected by the same invariant: the passphrase is also required, and the server holds only opaque ciphertext sealed under a key derived from both. A stolen second factor without the passphrase yields nothing actionable (256 bits of Argon2id to brute-force). A stolen passphrase without the second factor is equally unactionable.
## Manifest Integrity