Kassword requires JavaScript and WebAssembly.
POST-QUANTUM · BLOCKDAG-BACKED · ZERO-SERVER · LONG-TERM

Encrypted
on the DAG, post-quantum

Your passwords, wallet backups, IDs and files - sealed in your browser with Argon2id + XChaCha20-Poly1305 + ML-KEM-1024 + ML-DSA-87 (NIST Level 5), backed up to Kaspa's BlockDAG. No sign-up, no account. Nobody else holds a copy to hand over. The locks are built to hold up against today's computers and the powerful quantum computers expected later. How safe it is comes down to three things: a strong password, an unaltered copy of this app, and keeping your wallet key secret.

PQ
Cipher suite
0
Servers
PQ
FIPS 203/204
On the DAG
New here? Choose one strong master password, at least 12 characters. It locks everything you save. There is no reset or backdoor. If you forget it, the vault is gone for good, so write it down and keep it somewhere safe.
Argon2id KDF XChaCha20-Poly1305 ML-KEM-1024 (FIPS-203 Level 5) ML-DSA-87 (FIPS-204 Level 5) BLAKE2b Merkle media 2-factor (password + wallet) Kaspa BlockDAG backup Offline phone signer
Argon2idXChaCha20-Poly1305ML-KEM-1024ML-DSA-87BLAKE2b Merkle192-bit NoncesMemory-Hard KDFPer-Entry AEADSigned BackupsKaspa BlockDAGZero ServersOpen Source Argon2idXChaCha20-Poly1305ML-KEM-1024ML-DSA-87BLAKE2b Merkle192-bit NoncesMemory-Hard KDFPer-Entry AEADSigned BackupsKaspa BlockDAGZero ServersOpen Source
How your data is protected
🛡 Argon2id (memory-hard KDF). This is a trusted, award-winning way to scramble your password. It uses a lot of memory and repeats the work several times, which makes guessing your password far too slow and costly to be worth it, even for powerful special-purpose machines.
🔐 XChaCha20-Poly1305 (AEAD). This is a strong, modern lock. It uses extra-long one-time codes, which removes a known weakness that can show up when locks are reused over many years. Every item gets its own one-time code.
🛰 ML-KEM-1024 (NIST FIPS-203, Level 5). This keeps your network backups safe even against future quantum computers, and lets you open them on any device. The key to each backup is built from TWO things together: your password and your wallet key. A new device can only rebuild that key if it has both. So a network backup needs both, just like your local vault. Because your password is one of those, use a strong one.
ML-DSA-87 (NIST FIPS-204, Level 5). Every network backup carries a digital signature tied to both your password and your wallet key. When you recover, the app checks that signature before unlocking, so it knows the backup is really yours. A fake copy fails this check, even against a quantum attacker. Both your local vault and your network backup need both your password and your wallet key. Neither one can be opened with just one of them.
🌳 Per-file Merkle tree (BLAKE2b). Big files are split into pieces and locked one piece at a time, then tied together with a math fingerprint. If any piece is cut, moved, or changed by even one bit, the app can detect it.
🔑 2-factor key derivation. It takes both your password AND your wallet key, working together, to unlock anything. Having just one of them is not enough.
💻 Runs in your browser. There are no Kassword servers and no accounts. Your data is locked right on your own device. The app only talks to a Kaspa network connection you pick, and some recovery and file features use a Kaspa data service. Your password never leaves your device. The code is open for anyone to check.
Kaspa BlockDAG backup. Optional. Your locked vault can be saved onto the Kaspa network. No one can read it without both your password and your wallet key.
Auto-lock after 5 minutes of no activity. The keys used to open your vault are erased from memory.
YOUR SECRETS
Encrypted on the DAG
post-quantum
A vault that runs in your browser. Your password is run through Argon2id (a slow, memory-hungry scrambler that makes guessing very hard). Each item is then locked with XChaCha20-Poly1305 (a strong, modern lock). The math behind it (ML-KEM-1024 and ML-DSA-87) is built to resist future quantum computers. You can back it up to the Kaspa BlockDAG and get it back on any device. To anyone else it looks like random noise, and it stays there for as long as the network lives.
Argon2id (RFC 9106) XChaCha20-Poly1305 ML-KEM-1024 (FIPS-203 Level 5) ML-DSA-87 (FIPS-204 Level 5) BLAKE2b Merkle media 2-factor (password + wallet)
-
Total: - KAS · Spendable: - KAS
⚠ Recovery key - save this AND your password. Anyone with both opens your vault.
click to reveal
↗ Send KAS
Your payment is approved right here on your device with your wallet key. It does not pass through a middleman. Always check the address and amount before you confirm.
Available: - · Network fee ~0.0001 KAS
Add entry
Encrypted locally with XChaCha20-Poly1305 and locked with its own one-time code before it is saved. The key is built from your password and your wallet key together. You can also back it up to the Kaspa BlockDAG, where a digital signature shows if anyone tries to tamper with it.
🔐
Vault is empty
Add your first entry. Kassword locks it on your device, using a key built from your password and wallet key together, before anything is saved. Back it up to the Kaspa network when you are ready.
Your vault is saved on this device automatically, locked with your password and wallet key together. To keep it for the long term and use it on other devices, send a locked backup to the Kaspa BlockDAG below.
How to use Kassword
01
Set your master password
Pick a strong password (12 or more characters). The app runs it through Argon2id (a slow, memory-hungry scrambler), which makes guessing it far harder than older methods. There is no reset button. If you lose this password, no one can open the vault, not even us.
02
Save your vault key
Click "Show vault key" above. You will see a long code (64 characters). Write it down or save it somewhere offline, like paper, a USB stick, or a printout in a sealed envelope. To open your vault on a new device you need both this key AND your password. One without the other will not work.
03
Add your secrets
Add passwords, wallet backups, IDs, notes, photos, and videos. Every item is locked on your device first, with its own one-time code, before it is saved anywhere. Big files like photos and videos get a math fingerprint, so if even one bit is changed the app will notice.
04
Fund your wallet
Send some KAS (the Kaspa coin) to your wallet address shown above. Saving a backup to the network costs a small fee: about 5 KAS for text only, or about 10 KAS if you include photos or files. The Kaspa Locker tab needs at least 1.1 KAS each time you set one up. Use the Send KAS button for normal spending.
05
Backup to DAG (signed)
Click "Backup to DAG". The app locks your vault again with a fresh key, adds a digital signature that proves it came from you, then writes it onto the Kaspa network. If someone tries to swap in a fake copy, the signature will not match, so your recovery rejects it.
06
Recover anywhere
On a new device, click "Recover from DAG" and enter your password. Kassword looks through your wallet's history, finds your newest backup, checks that the signature is really yours, and then unlocks it.
⚠ Your vault is stored inside this browser. Clearing your browsing data, or using a private/incognito window, will erase it. Always back up to the network first before you clear your browser data.
ON-CHAIN VAULTS

Consensus-enforced spending conditions

Lock your KAS in an on-chain vault on Kaspa. The vault can have up to six different ways to open it, and you turn on the ones you want: open with this wallet, a quantum-resistant lock, a release that needs a secret, a payout to an heir if you go silent, a group vote, and a cold lock that opens with no signature at all. To open a vault you have to meet one of the rules you turned on. For the rules that pay out automatically, the destination is locked in advance, so the money can only go where you set it to go. The Kaspa network itself enforces these rules. There is no Kassword server in the middle. The app talks to a Kaspa node that you pick.

Status: Toccata activates on mainnet via consensus fork (scheduled 2026-06-30). This page builds + deploys covenant vaults; the same builder bytes were proven on the Toccata testnet.
Pick a scenario, then click deploy
🎁 Claim an escrow vault someone locked for you
If a friend / employer / counterparty locked KAS via HTLC and gave you the preimage out-of-band (Signal, sealed envelope, in person), this is how you claim it. Kassword builds the unlock TX from THIS wallet - the HTLC consensus rule checks that BLAKE2b(your preimage) matches the committed hash in the vault redeem.
The sender gives you this address. It's where they locked the KAS.
The sender shares the redeem hex along with the preimage.
Leave blank to send to your own wallet.
Kassword will scan the P2SH for a UTXO, build the HTLC unlock witness (preimage + your sig + selector + redeem), and submit. Consensus checks: BLAKE2b(preimage) == committed_hash AND your wallet sig is valid on the spend. If both pass, the KAS lands in your wallet.
⏳ Claim an inheritance (dead-man-switch)
Someone set up a vault that releases to you if they go silent. They gave you a capsule + a one-time claim secret (out-of-band - Signal, sealed envelope, in person). After the time-lock matures you can claim it from any device: no signature, no wallet of theirs, nothing to sign. The covenant pins the funds to your address, so a broadcaster can't redirect them.
Where the KAS is locked. The capsule is cryptographically bound to this address.
From the owner, or from the vault's create-transaction payload (the capsules array) - pick the one for you.
Usually filled automatically from the kit. Paste it only if your kit is older and the claim says it can't pick the vault UTXO - it pins the exact funding output past a dust flood.
Kassword decrypts the capsule with your secret (it never leaves this device), checks the time-lock has matured, then builds + broadcasts the keyless release. Consensus checks: tx.lockTime ≥ the committed unlock score AND the output goes to the pinned heir. No private key is used.
🤝 Recover a vault via M-of-N trustee quorum
The owner is gone (lost device, deceased, incapacitated). M of the N named trustees together can drain the vault. Paste the vault P2SH + redeem hex below - Kassword freezes the recovery transaction, then you collect M trustee signatures: either export a sign-request packet for each remote trustee (their key stays on their device) or, for testing, paste throwaway keys directly. Broadcasts once M signatures are in.
The vault address holding the locked KAS.
From the on-DAG deploy payload, or from a local backup the owner shared.
Leave blank to send to your own connected wallet.
🖊 Sign a recovery request (you are a trustee)
Someone is recovering a vault you're a trustee on. Paste the sign-request they sent you. Your device verifies the request, shows you exactly where the funds go, and signs with YOUR key - only a signature packet leaves this device, never your private key.
🔌 Offline-sign a vault unlock (air-gap)
Spend a Schnorr vault without your wallet key ever touching the network. The online coordinator builds the exact unlock transaction (recipient + fee fixed); you carry it to an offline device that holds the key, sign it there, and bring the signed transaction back to broadcast. The signed spend is byte-identical to an online unlock - a compromised online device can't redirect it, because the destination is fixed before signing. (Password-gated vaults unlock online, where the password is re-entered.)
🌐 COORDINATOR (online) - build + broadcast
📱 SIGNER (offline) - review + sign

Run on an offline device with your vault unlocked. Paste the unsigned unlock, confirm the recipient + amount, then sign. Your key never touches the network.

Lock KAS in a programmable vault
Your KAS goes to a special address on Kaspa where you choose how it can be unlocked later. Tick the unlock methods you want. Anything you don't tick simply isn't available - so attackers can't sneak through an option you didn't pick.
🔒 Maximum security - true cold storage
One click: offline-phone unlock ON, hot wallet path OFF, withdrawals pinned to one address, plus a backup-wallet escape hatch. A hacked PC cannot drain it - and if you lose the phone, the funds still recover to your backup wallet.
Vault address: generated when you click Deploy
Network fee: about 0.001 KAS (one transaction)
No on-DAG vaults yet
Deploy your first Toccata-native vault. Six unlock styles are available here: Schnorr daily unlock, HLMT offline-phone unlock, PQ-cold sig-less pinned payout, HTLC escrow, dead-man's switch, and M-of-N trustee recovery. Choose one, or stack compatible branches on the same vault; Kassword blocks combinations that would make a locked payout address meaningless.
COLD DEVICE APPROVAL

Your offline phone holds the unlock codes

Open Kassword on a phone in airplane mode - that's your COLD device. The safest way to run it is to download the app and run it locally (see below) so your keys never depend on a website. The cold device makes a one-time set of secret unlock codes and keeps them. It hands you only a short code called the "vault root". You pair that root with your everyday browser, which we call the HOT device. To spend money, the hot device builds the exact transaction. You carry it over to the cold phone. The cold phone shows you the real recipient + amount and Schnorr-signs the actual spend. It signs that exact transaction using one of its one-time codes. You carry the signed transaction back, and the hot device sends it out. The cold phone never goes online.

What the cold device actually approves:
  1. Generate: The cold device makes a batch of one-time unlock codes and keeps them. It gives you only one short code, the vault root, to take to your hot device. One batch of codes locks one vault.
  2. Deploy: Your hot device locks KAS into a vault that is tied to that root. We suggest you also lock in one payout address so the vault can only ever pay that address. The app will not let you reuse the same root for two vaults.
  3. Spend: The hot device builds the transaction but cannot sign it. The cold device reads it, shows you the real address and amount, and signs that exact transaction with one of its one-time codes. The hot device then sends it out. It cannot change anything in the transaction, because any change would break the signature.
Why a compromised hot device still can't drain you
The cold device reads the exact transaction and signs it with a one-time code. Once you approve it on the cold screen, nothing in that transaction can change. If you also pin a withdrawal address when you open the vault (the "Max security" choice), the vault can only ever pay that one address. So even a hot device that has been hacked can never send your money somewhere else or waste it on fees. Always check the address and amount on the cold device before you approve. The cold screen is the one you trust, not the hot browser.
📥 Download & run it yourself (cold / offline / air-gap)
Kassword is one open file that anyone can read. For the strongest safety, run your OWN copy on your computer instead of trusting any website. You can run it on a normal computer, or on a device that stays offline. Get the full set of files (the app plus start.bat) from GitHub, or save this exact page right now.
Get it on GitHub (full bundle + start.bat)
To run it on your own machine: download the files, then double-click start.bat (or run python serve_nocache.py) and open the address it shows you. Once it has loaded, it works with no internet at all, which is perfect for a cold, offline phone.
Media offline cache
Before you go offline, download any pictures or files you have not saved yet, so they are stored safely in this browser.
📱 I am the COLD device

Use this on an offline phone with airplane mode turned ON. It makes a fresh batch of one-time unlock codes. You then copy the short vault root over to your hot device.

⬇ Got an unlock request from your HOT device?
Paste it here. The cold device shows you the exact address and amount, signs it with a one-time code, and gives you back a proof. Copy that proof to the hot device, which sends the spend out.
📥 Restore a cold tree from a backup

On a fresh or wiped device, paste the kassword-cold-secrets backup file you saved plus the password it was sealed with. This rebuilds the cold tree here so you can sign unlock requests again.

SIGN A SPEND OFFLINE (signer) - step 2 of 3

Run this on a SEPARATE offline device that has this SAME vault on it (recover it there from the DAG, or import your wallet key). Only your own vault can sign your transaction, so a different or empty vault is refused. The HOT DEVICE tab builds the unsigned transaction and hands you the JSON. Paste it here, review every output, then sign. Carry the signed JSON back to the HOT DEVICE tab to broadcast. Your key never touches the network.

📱 SIGNER (offline) - review + sign

Use this on an offline device with your vault open. Paste in the transaction, check EVERY place the money is going, then sign it. Your key never goes online.

2Step 2 - Sign it (on your offline device)
MY VAULT protection - your offline-device steps

You turn MY VAULT protection on over on the HOT DEVICE tab (under "MY VAULT AIR-GAP"). These are the matching steps you do here on your offline device: make the one secret for Tier 2, or set up and run the oracle for Tier 4.

📱 COLD: Generate vault secret

Do this on a phone that is offline (airplane mode) or any clean device. It makes a brand new secret code and a short fingerprint of it (a SHA-256 hash, a one-way summary). The SECRET stays on this offline device or on paper. The FINGERPRINT is the part you copy to your everyday device.

📱 Tier 4 - oracle (offline device)

Run these on your offline device. Become an oracle once, ingest the arm code from your hot device, then answer each unlock challenge. Save the backup kit offline so you can rebuild this oracle if the browser is ever wiped.

ON THE COLD (oracle) DEVICE
ORACLE BACKUP KIT (save offline - restores this oracle if the browser is wiped; losing it + this device = paired vaults unrecoverable)
Same HTML, two devices. The Kassword page runs fully inside your browser, so it works with no internet. On the cold phone it cannot reach the network, and that is fine, because the cold device only needs to do math and copy text. On the hot device you connect as normal. The two devices NEVER talk to each other. You are the link between them, by copying and pasting.
HOT DEVICE

Your everyday online browser

This device talks to Kaspa and broadcasts, but it never holds your cold unlock codes. Here you pair with a cold vault, build and broadcast spends, and arm MY VAULT air-gap protection. The matching offline steps live on the COLD DEVICE tab - so you always know which device you are acting as.

🌐 I am the HOT device

This is your everyday browser. It connects to Kaspa but never holds your unlock codes. To make a vault that is tied to your offline device, copy its root code from there and paste it here.

To pay from an air-gap vault, click the HLMT (PQ) unlock button on its card. This device gives you a request (a block of text). Carry that to your cold device, get the matching reply (the witness) from it, and paste the reply back here.
BUILD + BROADCAST A SPEND (coordinator) - steps 1 and 3 of 3

This is a TWO-device tool. Build the unsigned transaction here on your online device, then carry it to your signer, which runs on a SEPARATE offline device that holds this SAME vault (you recover the vault there from the DAG, or import your wallet key). The online device builds and broadcasts but cannot sign; the offline device signs but never connects. Doing both halves on one device works for trying it out, but it adds no security. The destination is fixed inside the signed transaction, so a hacked online device can never redirect the funds. Paste the signed JSON back here to broadcast.

How to use this as a real offline signer (2 devices)
Set up your offline signer once:
1. Take a spare device (an old phone, a cheap laptop) and keep it in airplane mode, with no internet, forever.
2. Put Kassword on it from "Download and run it yourself" on the COLD DEVICE tab.
3. On it, click "Restore from another device (import wallet key)" and paste your wallet key and password. Now your signing key lives on a device that never goes online.

Each payment:
1. Here on your online device: Build unsigned tx, then Download.json.
2. Carry that file to the offline device on a USB stick. The two devices never connect - you are the wire.
3. On the offline device (COLD DEVICE tab, SIGNER): load the file, read the recipient and amount on that screen, Approve and sign, then Download.json of the signed result.
4. Carry the signed file back here on the USB stick.
5. Here: Broadcast signed tx. Done.

Your key never leaves the offline device, and that device never connects - so a hacked online device cannot steal your key or redirect your funds. This is the same air-gap that hardware wallets use.
🌐 COORDINATOR (online) - build + broadcast
1Step 1 - Build the payment (here, online)
2Step 2 - Sign it on your SIGNER (offline)

Carry the unsigned payment above to your offline device, open the 📱 COLD DEVICE tab, paste it into the SIGNER, check the recipient + amount, and sign. Bring the signed file back here for Step 3.

3Step 3 - Broadcast it (here, online, after Step 2)
🔐 MY VAULT AIR-GAP

Cold-device-gated vault decryption

Applied to MY VAULT - your passwords, notes, IDs, wallet backups, and files. When this is turned on, opening your vault on this browser needs one more thing: a secret code that is kept ONLY on your offline device or on paper. You paste this code in every time you open the vault. When the vault locks itself, it forgets the code right away. What it protects, precisely: opening the vault here, in this browser. It does not cover the copy of your vault that is saved on the Kaspa BlockDAG. You can still get that copy back with your master password plus your wallet key, so the saved copy still needs two things to open. If you also want the offline code to protect the saved copy, choose the one-time codes tier (Tier 3) instead.

Current gate: not armed
Choose a protection tier
Off - just your password (the default)

This is how your vault already works - there is nothing to set up here. Your vault opens with just your master password, with no extra offline code on this browser. The copy saved on the Kaspa BlockDAG still needs your master password plus your wallet key to open. Want more safety? Pick a higher tier above to add an offline code. Each higher tier is a little less handy but harder for a thief to beat. Tier 2 is the simplest (one code you reuse, protects this browser only); Tier 3 and Tier 4 also protect the copy saved on the Kaspa BlockDAG.

📱 Generate cold-device tree
Generates a set of single-use cold secrets, hashes them into a BLAKE2b Merkle tree, and encrypts them in this device's IndexedDB. Only the 32-byte root leaves the device. One cold tree secures exactly ONE vault - generate a fresh tree for each vault you create.
Each cold tree secures ONE vault, drained in a single unlock. A larger tree only holds spare one-time codes for that one spend - it does not add more unlocks, and a smaller tree means less cold material to back up. Secrets are stored encrypted on this device; nothing leaves until you EXPORT below.
🌐 Pair a cold vault
Paste the export blob from your COLD device. Kassword reads only the Merkle root and the public vault metadata - it never receives the secrets.
The vault is consensus-locked to this address: even if the pasted root turns out to be someone else's, they can only ever push the funds HERE - never steal them.
📱 Sign an unlock request
Paste the request blob from your HOT device. The cold device reads it, picks the requested code, and produces a witness blob you copy back to the hot device.
🧾 Incomplete operations
Operations that were durably journaled but are not yet confirmed on the DAG - from a crash, an interrupted submit, or a cross-tab conflict. Each one's recovery material is safe; verify before retrying. An unresolved entry may have affected funds or a one-time secret - do not assume it's harmless.
🕰 Re-copy the DMS heir hand-off kit
This is the inheritance kit for your heir - P2SH + claim secret + capsule. Give it to them privately (Signal / sealed envelope / in person). It's shown here only while this dialog is open and cleared when you close it; it lives encrypted-at-rest on this device the rest of the time.
🎁 Re-copy the escrow hand-off kit
Everything the recipient needs to claim, in one block: the vault P2SH, the redeem script hex, and the preimage. Give all three to them privately (Signal / sealed envelope / in person). They open KASPA LOCKER, "Claim an escrow vault", and paste EACH labeled value into its matching field. Shown only while this dialog is open and cleared when you close it; it lives encrypted-at-rest on this device the rest of the time. The preimage is a bearer secret - only the pinned recipient can claim and the payout is consensus-locked to their address, but still share it privately.
📱 Cold trees on this browser (these are keys, not your on-chain vaults)
Trees stored encrypted in your local IndexedDB. Each tree has its own ID and root.
ABOUT

Designed for long-term resistance

Kassword keeps your passwords, wallet backups, IDs, notes and media in your browser. Everything is sealed with a post-quantum crypto stack - Argon2id key stretching, XChaCha20-Poly1305 per-entry encryption, ML-KEM-1024 (FIPS-203 Level 5) and ML-DSA-87 (FIPS-204 Level 5) keypairs sealed under your password, and BLAKE2b Merkle trees for media tamper-evidence. No accounts, no Kassword servers - your data is sealed client-side; the app talks only to a Kaspa node/REST you choose. No subpoena surface for your data: no one can hand over what they never held.

The crypto stack - every claim verifiable

  • KDF - Argon2id (RFC 9106). 64 MiB memory, 3 iterations, 1 lane. Memory-hard by construction: doubling the brute-force throughput requires literally doubling the RAM, which is what makes ASIC/GPU attacks uneconomic over a century horizon.
  • Bulk cipher - XChaCha20-Poly1305 (RFC 8439 + 192-bit nonce extension). AEAD with a 192-bit nonce so reuse-collisions are statistically impossible even after billions of encrypts. AES-GCM's 96-bit nonce is unsafe for long-term archives - XChaCha20 isn't.
  • Key encapsulation - ML-KEM-1024 (NIST FIPS-203 Level 5, formerly Kyber). Lattice-based. Shor's algorithm doesn't break it. Every DAG backup encapsulates a fresh shared secret to the vault's ML-KEM public key, which is derived from BOTH your password and your wallet key. A fresh device re-derives that keypair from those two factors and decapsulates its own backups anywhere. This makes DAG backups portable and 2-factor, exactly like your local vault: both your password and your wallet key are required. Post-quantum confidentiality rests on your password plus the lattice KEM, since the wallet key is secp256k1 (Shor-derivable from its on-chain pubkey).
  • Signatures - ML-DSA-87 (NIST FIPS-204 Level 5, formerly Dilithium). The signing keypair is derived from BOTH your password and your wallet key, so recovery on any device re-derives the same public key from those two factors and verifies that a DAG backup is authentically yours BEFORE attempting any decryption. A forged blob fails the identity check immediately, and because the identity is never the raw on-chain wallet pubkey, that holds even against a quantum adversary.
  • Media - BLAKE2b Merkle tree. Files are chunked into 256 KiB blocks, each sealed under XChaCha20-Poly1305 with a per-chunk AAD that binds it to the entry id and chunk index. A BLAKE2b Merkle root over the sealed chunks makes any byte-flip / reorder / truncation mathematically detectable.
  • Two-factor key derivation. The local vault key is HKDF-SHA-512 of (Argon2id(password) || wallet_key || vault_id). The DAG-backup key uses (Argon2id(password) || ML-KEM-1024 shared_secret || vault_id), and that ML-KEM keypair is itself derived from password + wallet key, so the DAG backup needs both factors too. Stealing either the wallet key alone or the password alone decrypts nothing in either path.
  • All primitives audited. Implemented via @noble/hashes, @noble/ciphers, @noble/post-quantum - zero-dependency, audited, NIST-conformant.

Why on-DAG backup?

Cloud password managers go down. Companies get bought. Servers get subpoenaed. Kaspa's BlockDAG is permanent: once a TX confirms, the encrypted + ML-DSA-signed payload is there forever. Anyone with your wallet key + master password can restore from any browser, any device, any year - and the signature proves what they're decrypting is authentically yours.

Why offline signer (air-gap)?

For high-value KAS locked in the Kaspa Locker tab, the strongest mode runs the same HTML on a phone in airplane mode. The cold device holds the single-use cold key (a BLAKE2b Merkle tree, one per vault); the hot device only sees the root commitment. Unlock data crosses the gap by copy-paste or QR. The cold key never sees the network. A fully-compromised hot device cannot drain the vault without that cold key - provided the cold key secures only this one vault (the app enforces it).

Threat model

  • Attacker with your encrypted on-DAG blob and no password: cannot decrypt (Argon2id memory-hardness + XChaCha20-Poly1305 AEAD).
  • Attacker with your wallet key but no password: cannot decrypt (vault key = HKDF-SHA-512(Argon2id(pw) ‖ wallet_key ‖ vault_id) - needs all three).
  • Attacker with your password but not wallet key: cannot decrypt (same 2-factor).
  • Malicious indexer feeding a forged backup payload during recovery: rejected by ML-DSA-87 verify. The signing identity is password-derived, not wallet-derived, so no forgery passes - even with quantum hardware that has broken the wallet key.
  • Single-byte tamper of a media file in IDB: caught by BLAKE2b Merkle root + per-chunk AEAD tag at decrypt time.
  • Quantum attacker decades from now with the DAG backup blob + your observed wallet public key: cannot decrypt the DAG backup, because the DAG-backup key derivation uses ML-KEM-1024 (PQ shared secret) in place of the wallet private key - Shor breaks secp256k1 but not lattice-based KEMs. The remaining unknown is your password, gated by Argon2id (memory-hard, Grover-resistant proportional to entropy). Argon2id, XChaCha20-Poly1305, ML-KEM-1024, ML-DSA-87, and BLAKE2b are all considered PQ-resistant. None of this beats a weak password - pick something with real entropy.
  • Attacker who compromises your hot browser: cannot withdraw an HLMT-gated Kaspa Locker vault without the offline signer.
  • Sudden death + heir doesn't have your password: the DMS branch on a Kaspa Locker vault unlocks after timeout (heir gets the KAS; the secrets in your vault are a separate problem - escrow your password with a notary or M-of-N trustees).

Browser-bound encryption (new)

On top of the password + wallet-key 2-factor encryption, Kassword now wraps the wallet key with a non-extractable AES-GCM-256 key stored in this browser's IndexedDB. The browser refuses to ever export this key - not even page-side scripts can read it. Effect: a stolen copy of your vault file plus your password is useless without ALSO having access to this exact browser profile's secure storage. New and imported vaults are browser-bound from day one. Existing vaults auto-migrate on first unlock. If you ever clear browser data on this device, recover from a DAG backup or paper wallet key.

Install as an app (offline-first)

Kassword can install as a Progressive Web App. Once installed, the app code loads fully offline - perfect for a cold/air-gap phone in airplane mode, where cold signing runs entirely offline. (The hot app still needs a Kaspa node to scan, build, submit or verify spends.) Install once over WiFi; afterwards it loads from local storage indefinitely, even after browser cache clears or device restarts.

If the button is hidden, your browser may not support the install prompt API. On iOS Safari, tap Share → "Add to Home Screen". On Firefox Android, menu → "Install". Manifest works on all modern browsers.

Entry
Backup to BlockDAG
Your vault is XChaCha20-Poly1305 encrypted with your master password + wallet key, then attached to a Kaspa transaction as payload. Permanent. Recoverable anywhere with both factors.
Cost estimate: computing…
Vault size (encrypted): -
Wallet balance: -
Heads up: backup is signed by your wallet. The TX is public, but the payload is encrypted; only your password + wallet key recover the contents.
Recover from BlockDAG
Enter the password your backup was made with - older kassword.com vaults may use a shorter password, that is fine here. Kassword scans your wallet's history for the latest backup (post-quantum, or legacy V4), verifies and decrypts it, then merges your entries into this device's vault and re-seals them post-quantum.
Wallet address scanned: -
If you saw "deletion records failed to verify", recovering above re-establishes them. If you cannot recover, you may (deleted entries may reappear).
Unlock vault
Spending this on-chain vault. Pick which branch witnesses you supply - Schnorr is the daily-fast path, HLMT / HTLC / DMS / Recovery are the conditional branches.