How does Password Manager by 2Stable work under the hood? Part 2, The Storage.

How does Password Manager by 2Stable work under the hood? Part 2, The Storage.

Alex Vera author picture

by Alex Vera

Founder & CEO

28 May 2024 · 7 minutes to read

In our previous article, I talked all about the Vault in Password Manager by 2Stable. If you missed it, take a moment to check it out here.

Now, let’s move on to the next big piece of the puzzle: creating what we call the Storage. Think of it as the core place where all your information is stored. It’s not just a regular database; it also acts as a synchronization engine, built to prioritize offline access. This approach means Storage has two main tasks: ensuring your data remains secure and keeping it synchronized across your devices, or with anyone you choose to share it with. And it does all this securely, ensuring that your information is both safe and accessible, whenever you need it, without compromising on privacy or security.

Let’s start with Storage’s first responsibility: persisting data. For our app, we picked a database that many developers like, called Realm by MongoDB. Why Realm, you might ask? It’s because Realm is designed for speed and efficiency, making it perfect for mobile applications like ours. Plus, it has robust encryption capabilities that work seamlessly with our security model. This means your data is not just stored; it’s stored securely, ensuring that without the Master Key, your information remains unreadable and safe.

From the MongoDB website, we learn that Realm keeps your data safe using an encryption algorithm called AES-256 + SHA-2. Think of AES-256 as a super-strong lock that only the right key can open. And SHA-2 helps make sure nobody has tampered with your data. This combination makes your information very secure. If you want to know more about how it works, check it out here.

Now, let’s talk about the second important job of Storage: making sure your data is in sync. In today’s world, it’s super important to have your information available on all your devices or to share it safely with others. Storage isn’t just for keeping your data safe; it also makes sure that all your info is updated and in sync, even if you’re not online. When you do get back online, Storage automatically updates your info across all your devices or with anyone you’ve decided to share it with. Plus, if you use iCloud to store your data, we keep it encrypted there too, making sure it’s always protected. This syncing is all about keeping your data safe and under your control, everywhere you go.

You might have noticed the mention of iCloud earlier and wondered how it fits into our security model. iCloud uses a technology called CloudKit, which is Apple’s powerful cloud storage framework. CloudKit gives you a secure and private space online that only you can access. This is key for us at 2Stable because it means your data is stored in a place where we can’t directly access it. We make sure not to store your personal data on our servers; instead, your encrypted information is safely kept within Apple’s CloudKit. This method enhances security and ensures that you’re the only one in control of your data.

At this moment, we have all the information needed to dive deeper into how we integrate Realm and your iCloud storage together using Storage.

First, we create four instances of Storage:

None of them are encrypted.

These Storages don’t store any sensitive information; we primarily use them for organizational purposes.

Next, we create the VaultStorage. This Storage instance is created with the primary key of the created Vault and encrypted with your Master Key. This key is exactly the size we need, 512 bits (64 bytes).

In VaultStorage, we keep and sync:

In general, we keep in VaultStorage all data that needs to be synced with your other devices but not with your shared groups.

Regarding the data stored in VaultStorage, we have properties such as Favorite, Autofill, Used, and Shared Settings. These properties are designed to be shared across the user’s devices but not with their groups. For example, if you mark an item as a favorite, it should not be automatically marked as a favorite for other members of the group.

In our app, users can organize their data into Groups. Each group matches a CloudKit Zone. This design has many benefits. CloudKit custom zones can be shared, and we use this feature. But, to keep all safe, we encrypt every object we add to these zones. For this encryption, we use Group Encryption Keys, next referred to as GEKs.

In our app, you have three kinds of groups for your items: Personal, Private, and Shared. The Personal group is just for you and can’t be shared, keeping your personal stuff safe from being accidentally shared. The Private group can be shared if you want. Everything in this group is kept in the iCloud of the person who made the group, called the admin. The Shared group is a group someone else shared with you. The stuff in this group is actually in the iCloud of the person who shared it, who is also the admin.

In our current design, Shared and Private groups look the same, but they are actually different, as described before. In fact, if you create a new group and haven’t shared it with anyone yet, then this group is considered Private.

When you create a new Group, we generate a GEK for it. This key is similar to the one we use for the Vault, having the same size of 512 bits (64 bytes), but it comes with extra details like isSharable and more.

Now we create a new instance of Storage with the Group primary key and the GEK, and this data is persisted in our VaultStorage. This way, you can access the objects in this group when you unlock the app next time.

For Shared groups, it works a bit differently. We don’t make a new GEK; instead, someone shares the key with you. I’ll go into details on how we securely share the GEK in my next article. But for now, it’s essential to know that this data is safely stored in VaultStorage too.

To summarize:

  1. We maintain four unencrypted Storage instances for organizational purposes.
  2. The VaultStorage is encrypted with the Master Key and syncs exclusively with your devices.
  3. Personal and Private groups, which you create, have their GEKs generated by you. These GEKs are securely stored in VaultStorage.
  4. Shared Groups are established when someone invites you to join their group. The GEK for these groups is securely shared with you and is also stored in VaultStorage.

In my next article, I’ll explain how we securely share the GEK of Shared Groups with you. Additionally, I’ll address the purpose of having Profile in our VaultStorage. This way, you’ll have a better understanding of how we keep your data safe and secure. Stay tuned for more insights into our robust security measures, ensuring your peace of mind when using Password Manager by 2Stable!

Share this article: