Skip to Content
RailsSecurity

Security

Account Password

During the setup process, we highly recommend using a strong account password. This password is the primary entropy used to encrypt and decrypt your sensitive information. Rails provides tools to create strong passwords, including a strength meter to measure password entropy.

⚠️

You are responsible for keeping your account secure while using Rails services.

  • Important Note: Never forget your account password.
    • The password is cleared from memory after use and is never transmitted over the Internet to Rails servers.
    • If you forget it, there is no way to recover your password.

This ensures that no one, including the Rails team, can access or reverse-engineer your sensitive data. All sensitive data is fully encrypted or hashed before it leaves your device, providing robust protection for you and your information.

Strong Password Guidelines

  • Use a combination of uppercase and lowercase letters, numbers, and special characters.
  • Avoid using easily guessable information like names or birthdates.
  • Consider using a password manager to securely store and generate strong passwords.

Overview of the Node Setup Process

Master Key and Master Password Hash

During the Node setup process, Rails uses the Argon2id Key Derivation Function (KDF) to generate a master key.

  1. Master Key Creation:

    • The master key is derived using your account password as the key and your team ID as the salt.
    • This key is never stored or transmitted to Rails servers.

  2. Master Password Hash:

    • Argon2id is used to create a hash with the master key as the key and the account password as the salt.
    • This hash is transmitted to Rails servers for authentication.
    • On receipt, the server rehashes it with Argon2id and a random salt. The new hash is then stored securely.

Argon2 is the winner of the 2015 Password Hashing Competition. The Argon2id variant provides strong security against brute-force and side-channel attacks.

Master Key Generation

Symmetric Key and Encrypted Symmetric Key

During the setup process, the following steps are performed:

  1. Symmetric Key Generation:

    • A 256-bit symmetric key and a secp256k1 key pair are generated.

  2. Encryption:

    • The symmetric key is encrypted using ChaCha20 and the master key.
    • This results in an encrypted symmetric key.

  3. Transmission:

    • The encrypted symmetric key is sent to Rails servers.
    • It is later returned to the client for client-side encryption and decryption.

Symmetric Key Workflow

Overview of the Encryption and Decryption Process

Sensitive data associated with your account (e.g., private keys, mnemonics) is protected using end-to-end encryption with ChaCha20 and your symmetric key.

Key Features:

  • All encryption and decryption are performed entirely on the client.
  • The symmetric key is decrypted only using the master key, which is never stored or transmitted to Rails servers.

This process ensures that your sensitive information remains secure, even in the unlikely event of server compromise.

Last updated on
RailsSpace