Free Tools Pricing
Log in Sign up →

Security

Threat model and
security architecture

Zero-knowledge architecture. Your keys never leave your machine. We cannot read your backups even if compelled.

Last updated May 2, 2026

Security model

DevSafe is a zero-knowledge encrypted backup tool. Your encryption keys are generated on your machine, stored on your machine, and never transmitted anywhere. We cannot read your backups. Not "we choose not to." We literally cannot.

This page explains what we protect against, how the encryption works, and what is your responsibility. It is written for security-conscious developers and enterprise evaluators who need to verify our claims before trusting us with their infrastructure.

Threat model

Every security claim should be specific and verifiable. Here is what DevSafe defends against and how.

Threat Mitigation Status
Cloud sync corruption (iCloud, Dropbox, OneDrive, Google Drive) Git-aware encrypted snapshots bypass the filesystem entirely. DevSafe reads directly from git's internal structures and writes a single encrypted blob. No partial writes, no lockfile races. Mitigated
Storage provider compromise AES-256 encryption with authenticated encryption. The storage provider never sees plaintext. Even a full breach of your user-owned storage reveals only encrypted blobs with no usable content. Mitigated
Key theft from developer machine Master key stored with 0600 permissions. Unique key per repository. Keys generated locally, never transmitted. Compromising one repo does not expose others. Mitigated (user responsibility)
Man-in-the-middle during upload TLS 1.2 or higher for transport. AES-256 authenticated encryption provides data integrity and authentication. Tampering is detected and rejected. Mitigated
Malicious AI agent reads .env files AI Shield deny rules block agent access to sensitive paths. MCP config hardening prevents secret exfiltration through tool configurations. Mitigated (with shield)
Cryptographic failure Every encryption operation uses a unique, cryptographically random value. Authenticated encryption ensures integrity per NIST standards. Mitigated by design
Backup tampering Signed commitments with Ed25519. Cryptographic verification proofs confirm backup integrity without decrypting the data. Mitigated
Metadata leakage from key names Encrypted identifiers. Access pattern protection prevents an observer from correlating upload frequency to repository activity. Planned (v2.0)

Encryption architecture

DevSafe uses well-established cryptographic primitives. No custom algorithms. No novel cryptography. Every component is a NIST-approved or industry-standard building block.

  • Algorithm: AES-256-GCM. Authenticated encryption provides confidentiality and integrity in a single pass. Hardware-accelerated via AES-NI.
  • Key isolation: Unique key per repository. Keys generated locally, never transmitted. Compromising one repo key does not expose any other repo.
  • Freshness: Every encryption operation uses a unique, cryptographically random value. No key or value is ever reused.
  • Signing: Ed25519 for backup integrity commitments. Each backup includes a signature that proves it was created by your key and has not been modified.
  • Streaming: Large backups are encrypted in chunks without loading the entire file into memory. AES-NI streaming pass handles multi-gigabyte repositories without memory pressure.

Key management

Zero knowledge

Your master key is generated locally, stored locally, and never transmitted. We do not have a copy. We cannot recover your data if you lose your key. This is a deliberate design choice.

  • Master key generated locally, stored at ~/.devsafe/master.key with 0600 permissions (owner read/write only).
  • Per-repo keys generated locally. Unique keys per repository. Compromising one repo key does not expose any other repo.
  • Key rotation supported with re-encryption delta. Rotate your master key without re-uploading every backup from scratch.
  • Keys never transmitted to any server. Not to DevSafe. Not to your storage provider. Not to anyone.

What we cannot do

This is the list that matters. These are not policies. They are architectural constraints.

Read your backup data

We do not have your key. The data is encrypted before it leaves your machine.

Recover your data if you lose your key

Zero-knowledge means zero recovery. Your key is the only way in.

Read the contents of any backup

All data is encrypted before it leaves your machine. We receive ciphertext. Full metadata privacy is planned for v2.0.

Access your .env files or secrets

DevSafe is a local-only tool. Your secrets never leave your machine. AI Shield adds a second layer by blocking agent access to sensitive paths.

Responsible disclosure

Report a vulnerability

We will acknowledge your report within 48 hours and provide an initial assessment within 5 business days. We do not pursue legal action against security researchers who act in good faith.

If the vulnerability affects user data, we will issue a fix before disclosing publicly. We will credit you in the advisory unless you prefer to remain anonymous.

Questions

If you need more detail about our security model for an enterprise evaluation, compliance review, or audit, reach out through our contact form. We are happy to provide additional documentation.

HXA Labs LLC

Joshua D. Ledbetter, Founder

13560 Roller Coaster Rd, Ste 120, Box No. 172
Colorado Springs, CO 80921

Web: devsafe.com

Newsletter

Stay ahead of threats

Research, threat intel, and tutorials. We only publish when we have something worth your time.

No spam. Unsubscribe anytime.

What topics interest you?

Threats
Tutorials
Engineering
AI Security
Product
Everything

Skip this step