Skip to content

Security Overview

NovaKey is designed around a few core safety principles:

Key principles

  • Secrets are never displayed after creation
  • Secrets are never logged
  • All communication is encrypted
  • Devices must be explicitly paired

NovaKey does not rely on cloud infrastructure.

Secrets stay on the phone

  • Secrets are stored only in the iOS Keychain.
  • Secrets are never displayed again after saving.
  • Sending/copying requires Face ID / passcode.

Explicit trust via pairing

  • Devices must be paired before any secrets can be accepted.
  • Pairing validates server identity via a fingerprint embedded in the QR.

Modern cryptography (post-quantum capable)

NovaKey uses: - ML-KEM-768 (Kyber / ML-KEM class) for session establishment - HKDF-SHA-256 for key derivation - XChaCha20-Poly1305 for authenticated encryption

Replay & abuse resistance

  • timestamp freshness checks
  • replay protection
  • per-device rate limiting
  • arming (“push-to-type”)
  • two-man approval
  • focused target allow/deny lists
  • injection safety rules (newline/length)
  • configurable clipboard and auto-typing fallbacks (disabled unless needed; can be restricted or disabled)

For wire details, see Protocol Summary.