PassAGE/SECURITY.md

# Security Considerations for PassAGE

This document describes PassAGE's security model and implementation details.

## Current Implementation

PassAGE uses a master password model with AGE's passphrase encryption (Scrypt).

### Master Password Storage

The master password is **never stored in plaintext**. Instead:

1. **Argon2id hash**: A one-way hash is stored in `.master-pass` file in the password store directory
   - Uses Argon2id (winner of Password Hashing Competition)
   - Parameters: 3 iterations, 32MB memory, 4 threads, 32-byte output
   - Includes random salt (16 bytes) for each password
   - Format: `salt:hash` (base64 encoded)

2. **Verification**: When you enter the master password:
   - A new hash is computed with the same salt
   - Compared with stored hash using constant-time comparison
   - If match, password is used for encryption/decryption

3. **Security properties**:
   - **Memory-hard**: Resistant to GPU/ASIC attacks
   - **Slow by design**: Makes brute force attacks expensive
   - **Salt**: Prevents rainbow table attacks
   - **One-way**: Hash cannot be reversed to get password

### Encryption

All passwords are encrypted using:
- **AGE Scrypt encryption**: Industry-standard passphrase encryption
- **Master password**: Used directly for encryption (not stored)
- **File format**: AGE v1 encrypted files (`.passage` extension)

### Security Model

- Master password protects all stored passwords
- Hash file is only for verification (cannot recover password)
- Full disk encryption recommended for additional protection
- File permissions: `.master-pass` stored with 0600 permissions