BaseLayer Get Started
Security

Your memory, your keys, your machine.

BaseLayer's zero-knowledge architecture ensures your conversation history remains yours alone. The cloud never sees plaintext data — even we can't read your vault.

Security Architecture at a Glance

Zero-Knowledge Cloud

Our cloud infrastructure (Firebase) never sees your data in plaintext. All conversation content is encrypted with AES-256-GCM on your device before it ever reaches the network.

Encryption at Rest

Your local vault is encrypted with SQLCipher (AES-256-CBC). Even if someone copies the database file from your machine, they cannot read it without the encryption key. Plaintext vaults are auto-migrated on first open.

OS Keychain Integration

Your master encryption key is stored in the macOS Keychain (baselayer.keychain-db), protected by the operating system's hardware-backed secure storage. Never written to a plain file on disk.

Passphrase Protection

A double-envelope system uses PBKDF2-SHA256 with 600,000 iterations to derive a wrapping key from your passphrase. The wrapped master key is stored in Firestore, so you can unlock your vault on any device with just your passphrase.

End-to-End Encryption

AES-256-GCM authenticated encryption for all data in transit with HKDF-SHA256 session key derivation and daily rotation. Random 12-byte nonces per message with GCM authentication tags to detect tampering.

Local-First Storage

Your vault is an encrypted SQLCipher database on your machine at ~/.baselayer/vaults/{vault_id}/vault_vfs.db. All knowledge extraction, entity resolution, and search happen locally.

Localhost Security Boundary

BaseLayer runs locally on your device and is not exposed to the public internet. Only software running on your machine can access this local service.

Per-User Vault Isolation

Each user gets an isolated, encrypted vault at a unique path. Strict ownership checks ensure each user can only read and write data in their own vault. Sign-out preserves the encrypted vault — passphrase required to re-enter.

Opt-in Telemetry

Telemetry is disabled by default and fully opt-in. If you choose to enable it during onboarding, only anonymous, aggregate usage data is collected — never conversation content, personal information, or vault data.

Cryptographic Primitives

Primitive
Algorithm
Purpose
Encryption (transit)
AES-256-GCM
Authenticated encryption for all relay data
Encryption (at rest)
AES-256-CBC (SQLCipher)
Full-database encryption of local vault
Key derivation (session)
HKDF-SHA256
Daily session key rotation with domain separation
Key derivation (passphrase)
PBKDF2-SHA256 (600K iterations)
Passphrase → wrapping key for double envelope
Key storage
macOS Keychain
Hardware-backed secure storage for master key
Nonce generation
CSPRNG (12 bytes)
Unique random nonce per encrypted message
Authentication (MCP)
OAuth 2.1 + PKCE
Standard OAuth for remote MCP connections

What We Protect Against

Threat
How We Mitigate
Cloud infrastructure compromise
Zero-knowledge design — Firestore stores only ciphertext. Compromising Firebase yields no plaintext conversation data.
Network interception (MITM)
All relay traffic is end-to-end encrypted with AES-256-GCM before reaching TLS. Even if TLS is stripped, the attacker sees only ciphertext.
Local device theft
Vault is encrypted at rest with SQLCipher (AES-256-CBC). Master key stored in OS Keychain, not on the filesystem. Database file alone is unreadable.
AI provider data leaks
BaseLayer captures conversations client-side via DOM observation. Your memory exists independently of any provider's data retention policy.
Unauthorized vault access
Per-user vault isolation with strict ownership checks. Sign-out preserves the encrypted vault — passphrase required to re-enter.
Rogue browser extension
Extension permissions scoped to specific AI provider domains. No access to all URLs, no tabs permission, no browsing activity tracking.
MCP relay compromise
OAuth 2.1 with PKCE for remote MCP authentication. Server heartbeat monitoring (30s interval) with relay pre-checks detect stale or compromised connections.

Key Technical Details

Encryption & Key Management

The master encryption key is generated locally and stored in the macOS Keychain (baselayer.keychain-db) via the security CLI. It is never written to a plain file on disk. Session keys are derived daily from the master key using HKDF-SHA256 with domain separation.

Double-Envelope Passphrase System

To enable multi-device access, your passphrase is run through PBKDF2-SHA256 with 600,000 iterations to derive a wrapping key. This wrapping key encrypts the master key, and the resulting wrapped key is stored in Firestore. On a new device, entering your passphrase re-derives the wrapping key and unwraps the master key — no key file transfer needed.

Encryption at Rest

The local vault database uses SQLCipher with AES-256-CBC full-database encryption (bundled-sqlcipher-vendored-openssl). Existing plaintext vaults are automatically migrated to encrypted format on first open.

Firestore Security Rules

Access control rules enforce vault ownership and isolate every vault from all other users. Real-time Firestore listeners (onSnapshot) replace polling for immediate state sync.

Key Constraints

  • Vault ownership is enforced consistently across the full data model
  • Previously noted gap (any authenticated user could access any vault) is now CLOSED
  • API key records are write-protected — only Cloud Functions can create or revoke them
  • Cloud Functions use Admin SDK and bypass rules by design for secure server-side operations

MCP Security

Remote MCP connections (e.g., from Claude.ai) authenticate via OAuth 2.1 with PKCE. The MCP server publishes a heartbeat every 30 seconds, and the relay performs pre-checks before forwarding requests to detect stale or compromised connections.

Privacy by Design

Telemetry is opt-in and disabled by default. If enabled, only anonymous aggregate usage data is collected. No PII in cloud storage. Firestore documents contain only encrypted payloads, nonces, status flags, and content hashes. No plaintext conversation content, user messages, AI responses, or personal information is stored in the cloud.

Security Roadmap

Item
Target
Description
Formal security audit
Post-Seed
Engage a third-party security firm for comprehensive penetration testing and cryptographic review.
Windows & Linux key storage
Post-macOS
Windows Credential Manager and Linux Secret Service integration for cross-platform Keychain parity.
Hardware key support
v3+
YubiKey and hardware security key support for vault authentication as an alternative to passphrase.
SOC 2 Type I
Post-Series A
Pursue SOC 2 compliance for enterprise customers.

Full Security Whitepaper

For the complete technical details, architecture diagrams, and cryptographic specifications:

Read Full Whitepaper

Responsible Disclosure

We welcome security research on BaseLayer. If you discover a vulnerability:

  • Email: security@baselayer.id (or james@baselayer.id during beta)
  • Include: Description of the vulnerability, steps to reproduce, and potential impact
  • Scope: Cryptographic implementation, cloud function logic, Firestore rules, Chrome extension security, MCP OAuth, and local vault access controls
  • Response time: We aim to acknowledge reports within 48 hours and provide a remediation timeline within 7 days

We do not currently offer a bug bounty program but plan to establish one post-launch.