The $5 wrench attack shows crypto fails under coercion.
Sanctum tries to fix this by making coercion non‑verifiable.
How it works:
Panic password → instantly shows “vault deleted” before any crypto. Indistinguishable from real deletion.
Decoy password → unlocks harmless data.
Hidden password → real secrets, existence can’t be proven.
Crypto:
\- Argon2id slows a lot brute force. Argon2id is a password hashing function (key derivation function) that's intentionally slow and memory-hard. It won the Password Hashing Competition in 2015.
\- HKDF separates keys so decoy reveals nothing about hidden. HKDF is HMAC-based Key Derivation Function (RFC 5869) - it takes one key and derives multiple independent keys from it. The "domain separation" means adding unique labels so each derived key is cryptographically independent.
\- XChaCha20‑Poly1305 makes ciphertexts look random. XChaCha20-Poly1305 is a modern authenticated encryption cipher - XChaCha20 encrypts the data (fast stream cipher), Poly1305 adds authentication tag to detect tampering.
\- Split-key architecture - encryption key split into KeyA (in URL hash, never sent to server) + KeyB (encrypted in database D1 on cloudflare). need both to decrypt, compromising server or URL alone gets you nothing.
\- PRF Pseudorandom Function, the cipher output is computationally indistinguishable from truly random data. In simple terms: encrypted data looks like random noise, so you can't tell if it's real encrypted content or just garbage/padding.
More defense in depth:
\+Data stored in remote separate decentralized IPFS blobs + PRF security → no proof hidden data exists.
\+Keys stays only in browser RAM only and for 60 seconds before automatic wipe out.
Combining with tails over tor makes it secure against malicious extensions.
Anyway, thought this was a neat approach to a real problem. The code's open source if anyone wants to audit: [https://github.com/Teycir/Sanctum](https://github.com/Teycir/Sanctum) and help harden it or give ideas for improvement.