The entire idea here is to have a single key that gives you all the files, perfect for memorizing. So forward secrecy is explicitly not desired.
Login to reply
Replies (4)
Also the best practice is to use a new nsec for this, not your main identity key, this limits key exposure and reduces compromise risk.
Nothing stops you to use your main nsec tho, if that is desired.
Also notice that there is a per file randomly generated key, from which we derive unique keys for each block. The per file key is encrypted to the nsec for recovery.
This prevents linking multiple blocks to the same file/user.
Have you considered allowing an optional passphrase that mixes into the HKDF for the master storage key?
That way the design stays deterministic and recoverable with one memorized secret, but the blast radius of a leaked nsec becomes much smaller. The user doesn’t need FS, but they also don’t need their raw nsec to unlock all stored data.
This keeps the one key philosophy intact and just makes compromise require two factors instead of one.
Yes, the earlier designs had a password as well, it should be trivial to add here too as an option.