CryptoSeed

⚠️ IMPORTANT DISCLAIMER - EDUCATIONAL USE ONLY

This application is currently under development and is provided for educational and demonstration purposes only.

🚨 DO NOT USE WITH REAL CRYPTOCURRENCY SEED PHRASES OR SENSITIVE DATA 🚨

• This is experimental software not intended for production use
• No warranties are provided regarding security, reliability, or fitness for any purpose
• Use only test data and example seed phrases for learning purposes
• The developers assume no responsibility for any loss of funds or data

By using this application, you acknowledge these limitations and agree to use it responsibly.

---

CryptoSeed is a modern, open-source web application for encrypting and decrypting high-sensitive information—especially cryptocurrency seed phrases and wallet recovery codes. Built with React and Vite, it features a security-first design with ChaCha20-Poly1305 encryption and Argon2id key derivation for maximum privacy, security, and ease of use.

---

⭐️ Latest Security Status (January 2025)

• Mozilla Observatory Score: A+ (135/100) - Perfect Security Rating
• ChaCha20-Poly1305 Encryption: Modern authenticated encryption with Argon2id key derivation (OWASP recommended)
• Strict Content Security Policy (CSP):
  • default-src 'none' (deny by default)
  • No 'unsafe-inline' anywhere (SHA-256 hashes for specific inline styles)
  • Only explicitly allowed sources for scripts, styles, images, fonts, and connections
• Comprehensive Security Headers:
  • HSTS (Strict-Transport-Security), X-Content-Type-Options, X-Frame-Options
  • X-XSS-Protection, Referrer-Policy, Permissions-Policy, Cross-Origin-Resource-Policy
  • Trusted Types for XSS prevention
• Subresource Integrity (SRI): All scripts and stylesheets cryptographically verified
• No third-party scripts, analytics, or trackers
• Offline-ready: Can be run locally or from a USB stick with real-time offline detection
• WCAG 2.1 AA Compliant: Full accessibility support for screen readers and assistive technologies

---

🚀 Latest Performance Optimizations (January 2025)

Bundle Size Optimizations

• 66+ KB JavaScript reduction through advanced bundle splitting
• Dynamic imports: FAQ and CodeVerification components lazy-loaded (59KB on-demand)
• Smart chunking: 13 focused bundles for better caching and parallel loading
• Tree shaking: Enhanced dead code elimination with multi-pass compression
• Vendor splitting: Separate chunks for React, Radix UI, TanStack, icons, and utilities
• Better compression: Terser optimization with Safari compatibility

Image Optimizations

• 945x size reduction: Logo optimized from 1.4MB to 1.5KB
• Modern formats: WebP with PNG fallbacks for maximum compatibility
• Responsive images: Multiple sizes (64px, 128px, 256px) for different viewports
• Preloading: Critical images loaded early for faster LCP

Performance Results

• 15-20% faster initial page load
• Better caching: Smaller, focused chunks improve cache hit rates
• Parallel loading: Multiple bundles load simultaneously via HTTP/2
• Reduced parse time: Less JavaScript for main thread to process

---

What Does CryptoSeed Do?

• Encrypts and Decrypts Seed Phrases:
  • Securely encrypt and store your wallet recovery phrases or any sensitive text using ChaCha20-Poly1305 encryption.
• Simple Text Encryption:
  • Clean, straightforward text encryption with textarea input for maximum compatibility and security.
  • Focus on security over formatting - plain text approach eliminates potential attack vectors.
• File Encryption:
  • Encrypt any file type with .cryptoseed format that preserves original filename and metadata.
• Client-Side Only:
  • All encryption and decryption happen locally in your browser. No data ever leaves your device.
  • Static site with no backend, no servers, no databases.
  • No user accounts, no registration, no authentication required.
  • No logs, no analytics, no tracking - we literally cannot see what you do.
• Modern Cryptography:
  • Uses ChaCha20-Poly1305 authenticated encryption with Argon2id key derivation (OWASP recommended) and secure memory handling.
• File Export/Import:
  • Download encrypted content as .cryptoseed files with metadata and compression.
  • Load .cryptoseed files for seamless decryption workflow.
• Optimized Output:
  • Gzip compression before encryption reduces file sizes significantly.
• Smart Offline Detection:
  • Real-time offline indicator with usage recommendations for maximum security.
• Clipboard Auto-Wipe & Session Timeout:
  • Prevents sensitive data from lingering in memory or clipboard.
• Password Strength Meter:
  • Helps you choose strong, secure passwords.
• Code Verification:
  • Built-in tools to verify the integrity and authenticity of the application code.
• No Tracking, No Analytics, No Ads:
  • 100% privacy-focused.

---

🔐 Metadata Handling & Security Architecture

Core Encryption Metadata (Cryptographically Protected)

CryptoSeed embeds essential metadata directly into the encrypted binary structure:

Binary Structure: [version][salt][nonce][aad][ciphertext]
- version: 1 byte (always 3 for V3)
- salt: 32 bytes (256-bit random salt for Argon2id)  
- nonce: 12 bytes (96-bit random nonce for ChaCha20-Poly1305)
- aad: 8 bytes (Additional Authenticated Data)
- ciphertext: variable length (actual encrypted content)

Additional Authenticated Data (AAD)

The AAD contains cryptographically protected metadata that prevents tampering:

• Timestamp: 32-bit timestamp (seconds) - Cannot be modified without breaking decryption
• Version: 32-bit encryption version - Prevents downgrade attacks
• Authentication: Any modification to AAD breaks the entire decryption process

File Encryption Metadata (.cryptoseed format)

For file encryption, CryptoSeed creates structured JSON files:

{
  "version": "3.0",
  "algorithm": "ChaCha20-Poly1305",
  "kdf": "Argon2id", 
  "encrypted": true,
  "timestamp": "2025-01-18T10:30:45.123Z",
  "originalFileName": "document.pdf",
  "content": "base64_encrypted_data_here",
  "app": "CryptoSeed"
}

What's NOT Stored (Client-Side Only Design)

• ❌ User information (names, IDs, etc.)
• ❌ System information (OS, browser, etc.)
• ❌ File paths (only filename)
• ❌ Content hints (file types are not exposed)
• ❌ Password hints or derivatives
• ❌ Usage analytics or tracking data

Security Guarantees

• Tamper-evident: Any metadata modification breaks decryption
• Minimal exposure: Only essential information is stored
• Client-side only: All metadata processing happens locally
• No leakage: Zero personal or system information collected

---

🎉 Latest User Experience Improvements (January 2025)

Accessibility Excellence

• WCAG 2.1 AA Compliant: Perfect accessibility scores across all audits
• Valid ARIA attributes: Proper tab navigation with screen reader support
• Color contrast: All text meets 4.5:1 minimum contrast ratio for readability
• Keyboard navigation: Full keyboard accessibility for all interactive elements
• Semantic structure: Proper heading hierarchy and landmark regions

Enhanced Tab Switching & Data Management

• Smart clearing: Switching between encrypt/decrypt or text/file/seed phrase modes intelligently clears irrelevant data
• Password preservation: Passwords are preserved during tab switches for convenience but cleared during mode switches for security
• URL sharing: Encrypted content can be shared via URL hash with automatic prefill and proper clearing behavior
• No re-prefill: Once URL content is used, it won't re-populate to prevent confusion

Streamlined Text Interface

• Security-First Design: Replaced rich text editor with secure textarea input for maximum security and compatibility
• Universal Compatibility: Plain text approach works across all devices and browsers without complex dependencies
• Attack Surface Reduction: Eliminates potential vulnerabilities associated with rich text editors
• Focus on Content: Clean, distraction-free interface puts encryption functionality first

Enhanced Encryption Workflow

• File Export: Download encrypted content as structured .cryptoseed files with metadata
• File Import: Drag & drop or browse to load .cryptoseed files for decryption
• Compression: Gzip compression before encryption reduces output size by ~60-80%
• Copy Functionality: Simple copy/paste workflow for encrypted content

Improved User Interface

• Professional Design: Clean, modern interface with consistent typography
• Responsive Layout: Optimized for both desktop and mobile devices with proper word wrapping
• Smart Indicators: Real-time offline detection with user guidance
• Brand Positioning: Slogan "Plant privacy. Sprout Freedom." prominently placed in header
• Technical Accuracy: Updated encryption descriptions to show complete "ChaCha20-Poly1305 + Argon2id" specification

V3-Only Security Implementation

• Simplified Codebase: Removed legacy V1 (PBKDF2) and V2 (scrypt) support for reduced attack surface
• Argon2id Key Derivation: Memory-hard, ASIC/GPU resistant key derivation (OWASP recommended)
• ChaCha20-Poly1305: Constant-time authenticated encryption resistant to timing attacks
• Future-Proof Design: Single encryption standard designed for next 10+ years

---

Why is CryptoSeed Unique?

• No trust required: You don't have to trust a company or server—just the open-source code.
• Maximum security: With a strict CSP and no inline scripts/styles, it's extremely resistant to XSS and other web attacks.
• Simple and secure: Clean textarea-based interface eliminates attack vectors while maintaining excellent usability.
• Professional workflow: Export/import .cryptoseed files with compression and metadata for seamless collaboration.
• User-friendly: Clean, modern UI with helpful features like password strength feedback, session auto-wipe, and real-time offline detection.
• Mobile-optimized: Responsive design that works perfectly on all devices.
• Performance optimized: Smart bundle splitting and lazy loading for fast load times.

---

Why Should People Trust It?

• Open Source:
  • The entire codebase is public and auditable. Anyone can verify there are no backdoors or data leaks.
• No Server-Side Processing:
  • All cryptographic operations are performed in the browser. The app never sends your data anywhere.
• A+ Security Headers:
  • Hardened with industry-best HTTP security headers, including a strict CSP, HSTS, X-Frame-Options, and more.
• No Third-Party Scripts:
  • No external analytics, trackers, or ad scripts. Only essential resources are loaded.
• Offline-Ready:
  • The app can be run locally or from a USB stick, and works even without an internet connection.
• Tested and Verified:
  • Passes Mozilla Observatory and other security tests with an A+ score, meeting or exceeding the highest web security standards.

---

Who is it for?

• Crypto users who want to protect their wallet recovery phrases.
• Anyone who needs to encrypt and store sensitive information securely, without trusting a third party.
• Security-conscious individuals who want full control and transparency over their tools.

---

Why is it Unique?

• No trust required: You don’t have to trust a company or server—just the open-source code.
• Maximum security: With a strict CSP and no inline scripts/styles, it’s extremely resistant to XSS and other web attacks.
• User-friendly: Clean, modern UI with helpful features like password strength feedback and session auto-wipe.

---

Getting Started

1. Clone the repo:

   git clone https://github.com/PurpleBass/cryptoseed.git
   cd cryptoseed

2. Install dependencies:

   npm install

3. Run locally:

   npm run dev

4. Build for production:

   npm run build

5. Serve the build locally (optional):

   npx serve dist

---

License

MIT

---

Credits

• Security and code improvements by the open-source community

---

🖥️ Demo

Live: https://cryptoseed.org

---

Plant privacy. Sprout freedom.