You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
|`PHANTASM_FIELD_MODE=1`| Reduce normal WebUI operational detail |
296
296
|`PHANTASM_PROFILE`| Select local capability mode: `standard`, `field`, or `maintenance`|
297
+
|`PHANTASM_MIN_PASSPHRASE_LENGTH`| Minimum Store passphrase length |
297
298
|`PHANTASM_AUDIT=1`| Enable audit logging |
298
299
299
300
## Local-Only Trust Boundary
@@ -304,6 +305,8 @@ Restricted local data-loss behavior should be understood primarily as key-materi
304
305
305
306
For high-risk deployments, do not store all recovery conditions on the same physical medium. Phantasm is strongest when the encrypted container, local state, memorized password, physical-object cue, and optional external key material are separated.
306
307
308
+
Store flows reject empty, obviously short, duplicate, or highly repetitive passphrases. This policy reduces accidental weak input, but it is not a substitute for secure operational procedure, key separation, or target-hardware validation.
Copy file name to clipboardExpand all lines: docs/THREAT_MODEL.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,6 +36,7 @@ It is not a substitute for audited full-disk encryption, hardware-backed key sto
36
36
- New stores use GhostVault v3 records: random per-record Argon2id salt, random per-record AES-GCM nonce, no plaintext magic/header, and AEAD-authenticated encrypted metadata.
37
37
- The local access key is mixed into Argon2id by default, so copying `vault.bin` alone is insufficient for recovery.
38
38
- Protected entries can be stored with normal access and restricted recovery passwords that share the same object cue.
39
+
- Store flows reject empty, duplicate, short, or highly repetitive passphrases to reduce accidental weak input.
39
40
-`PHANTASM_HARDWARE_SECRET_FILE`, `PHANTASM_HARDWARE_SECRET`, or `PHANTASM_HARDWARE_SECRET_PROMPT=1` can add an external value to Argon2id derivation. Data stored with any of these values requires the same value for retrieval.
40
41
- Default Argon2id parameters are tuned for Raspberry Pi Zero 2 W class hardware: `memory_cost=32768`, `iterations=2`, `lanes=1`.
41
42
- Restricted recovery behavior and explicit restricted actions can update unmatched local state. These paths can cause irreversible data loss.
@@ -71,6 +72,7 @@ These surfaces should not reveal the internal disclosure model, internal trial o
71
72
- UI face lock can be affected by lighting, camera angle, false rejects, false accepts, and presentation attacks using photos or screens.
72
73
- The in-memory Web rate limiter and restricted confirmation state reset on process restart and are not substitutes for a full access-control layer.
73
74
- UI tokens can be read from a compromised browser or host session.
75
+
- Passphrase policy cannot compensate for observed input, reused passwords, coercion, compromised hosts, or poor operational separation.
74
76
- Metadata checks and metadata reduction are best-effort. They can miss embedded identifiers, thumbnails, histories, and application-specific fields.
75
77
- Optional audit logs can support local review, including tamper detection for versioned records, but they also create local metadata.
76
78
- Browser history, cache, shell history, systemd logs, environment variables, and temporary files can leak operational context if the appliance is not configured carefully.
0 commit comments