The seQRets web app uses the same battle-tested cryptography as the desktop version — your secrets are encrypted with XChaCha20-Poly1305 and never leave your browser. But browsers have inherent limitations that no web app can fully overcome:
Browser Extensions
Malicious extensions can read DOM values, intercept keystrokes, and access clipboard data — regardless of what the page does. This is the most serious, unmitigated web app threat.
JS Memory
JavaScript strings are immutable. Passwords live in the V8 heap until garbage collected, which may never happen within a session. Derived keys are zeroed via fill(0), but the password string cannot be.
Supply Chain
The JavaScript served at load time could theoretically be tampered with at the CDN or build level. Going offline after load mitigates mid-session swaps but not pre-load compromises.
The seQRets Desktop Appeliminates all three threats. Tauri's WebView doesn't load browser extensions, the Rust crypto backend keeps derived keys out of the JS heap entirely with compiler-fence zeroization, and the code-signed binary verifies integrity at install time.
| Feature | Web | Desktop |
|---|---|---|
| XChaCha20-Poly1305 encryption | ||
| Shamir's Secret Sharing | ||
| Argon2id key derivation (64MB, 4 iter) | ||
| BIP-39 seed phrase support | ||
| Inheritance Plan (file upload) | ||
| Camera QR scanning | ||
| Works offline after load | ||
| Inheritance Plan (in-app builder) | ||
| JavaCard smart card support | ||
| Native Rust crypto backend | ||
| Compiler-fence key zeroization | ||
| Browser extension immune | ||
| Code-signed binary | ||
| Automatic updates |
In-app Inheritance Plan builder — structured 9-section form for creating detailed recovery instructions. Encrypts as compact JSON that fits on a smart card.
JavaCard smart card support — store shares, vaults, keyfiles, and inheritance plans on JCOP3 hardware with optional PIN protection.
Native Rust crypto — all key derivation and encryption runs in Rust via Tauri IPC. Keys never enter the JS heap and are zeroized with compiler-fence guarantees.
Clone card & Smart Card Manager — manage PINs, clone cards between readers, delete individual items, and factory reset from a dedicated management page.