AES-256-GCM in the browser: a quick tour of our crypto stack
We use the Web Crypto API with AES-GCM. Here’s what that means and why we chose it.
All encryption and decryption use the SubtleCrypto interface (Web Crypto API). We use AES-256-GCM: 256-bit key, Galois/Counter Mode, which gives both confidentiality and authentication. If someone flips a bit in the ciphertext, decryption fails—no silent corruption.
Why GCM and not CBC
CBC is still common but is easy to misuse (IV reuse, padding oracles). GCM is an AEAD: authenticated encryption. You get a tag that we store with the ciphertext; on decrypt, the browser verifies the tag. We also use a fresh random IV for every encryption operation, so we avoid the pitfalls of IV reuse.
Key derivation
The key comes from PBKDF2 with SHA-256, 310,000 iterations, and a random salt. So the “key” the user has is really a password; we turn it into a proper 256-bit key in the browser and never send that key anywhere.