Security
Threat model and
security architecture
Zero-knowledge architecture. Your keys never leave your machine. We cannot read your backups even if compelled.
Security model
DevSafe is a zero-knowledge encrypted backup tool. Your encryption keys are generated on your machine, stored on your machine, and never transmitted anywhere. We cannot read your backups. Not "we choose not to." We literally cannot.
This page explains what we protect against, how the encryption works, and what is your responsibility. It is written for security-conscious developers and enterprise evaluators who need to verify our claims before trusting us with their infrastructure.
Threat model
Every security claim should be specific and verifiable. Here is what DevSafe defends against and how.
| Threat | Mitigation | Status |
|---|---|---|
| Cloud sync corruption (iCloud, Dropbox, OneDrive, Google Drive) | Git-aware encrypted snapshots bypass the filesystem entirely. DevSafe reads directly from git's internal structures and writes a single encrypted blob. No partial writes, no lockfile races. | Mitigated |
| Storage provider compromise | AES-256 encryption with authenticated encryption. The storage provider never sees plaintext. Even a full breach of your user-owned storage reveals only encrypted blobs with no usable content. | Mitigated |
| Key theft from developer machine | Master key stored with 0600 permissions. Unique key per repository. Keys generated locally, never transmitted. Compromising one repo does not expose others. | Mitigated (user responsibility) |
| Man-in-the-middle during upload | TLS 1.2 or higher for transport. AES-256 authenticated encryption provides data integrity and authentication. Tampering is detected and rejected. | Mitigated |
| Malicious AI agent reads .env files | AI Shield deny rules block agent access to sensitive paths. MCP config hardening prevents secret exfiltration through tool configurations. | Mitigated (with shield) |
| Cryptographic failure | Every encryption operation uses a unique, cryptographically random value. Authenticated encryption ensures integrity per NIST standards. | Mitigated by design |
| Backup tampering | Signed commitments with Ed25519. Cryptographic verification proofs confirm backup integrity without decrypting the data. | Mitigated |
| Metadata leakage from key names | Encrypted identifiers. Access pattern protection prevents an observer from correlating upload frequency to repository activity. | Planned (v2.0) |
Encryption architecture
DevSafe uses well-established cryptographic primitives. No custom algorithms. No novel cryptography. Every component is a NIST-approved or industry-standard building block.
- Algorithm: AES-256-GCM. Authenticated encryption provides confidentiality and integrity in a single pass. Hardware-accelerated via AES-NI.
- Key isolation: Unique key per repository. Keys generated locally, never transmitted. Compromising one repo key does not expose any other repo.
- Freshness: Every encryption operation uses a unique, cryptographically random value. No key or value is ever reused.
- Signing: Ed25519 for backup integrity commitments. Each backup includes a signature that proves it was created by your key and has not been modified.
- Streaming: Large backups are encrypted in chunks without loading the entire file into memory. AES-NI streaming pass handles multi-gigabyte repositories without memory pressure.
Key management
Zero knowledge
Your master key is generated locally, stored locally, and never transmitted. We do not have a copy. We cannot recover your data if you lose your key. This is a deliberate design choice.
- Master key generated locally, stored at ~/.devsafe/master.key with 0600 permissions (owner read/write only).
- Per-repo keys generated locally. Unique keys per repository. Compromising one repo key does not expose any other repo.
- Key rotation supported with re-encryption delta. Rotate your master key without re-uploading every backup from scratch.
- Keys never transmitted to any server. Not to DevSafe. Not to your storage provider. Not to anyone.
What we cannot do
This is the list that matters. These are not policies. They are architectural constraints.
Read your backup data
We do not have your key. The data is encrypted before it leaves your machine.
Recover your data if you lose your key
Zero-knowledge means zero recovery. Your key is the only way in.
Read the contents of any backup
All data is encrypted before it leaves your machine. We receive ciphertext. Full metadata privacy is planned for v2.0.
Access your .env files or secrets
DevSafe is a local-only tool. Your secrets never leave your machine. AI Shield adds a second layer by blocking agent access to sensitive paths.
Responsible disclosure
Report a vulnerability
We will acknowledge your report within 48 hours and provide an initial assessment within 5 business days. We do not pursue legal action against security researchers who act in good faith.
If the vulnerability affects user data, we will issue a fix before disclosing publicly. We will credit you in the advisory unless you prefer to remain anonymous.
Questions
If you need more detail about our security model for an enterprise evaluation, compliance review, or audit, reach out through our contact form. We are happy to provide additional documentation.
HXA Labs LLC
Joshua D. Ledbetter, Founder
13560 Roller Coaster Rd, Ste 120, Box No. 172
Colorado Springs, CO 80921
Web: devsafe.com