Vault on the phone. Desktop is just a screen.
The phone is the single source of truth. The desktop connects as a thin client over USB, WebRTC, or WSS. Keys never leave the phone.
Back to main siteThree paths. One encryption contract.
USB, WebRTC, or WSS relay — pick the transport that fits your environment. Noise XX is mandatory on every path.
Direct cable
Wired connection with no network stack. If the cable fails, the system does not silently fall back to a network path.
Network channel
Primary network transport. Uses DTLS + ICE for path setup, then wraps data in Noise.
Deterministic fallback
The relay forwards opaque bytes. MVP baseline for mobile. The relay is transport, not trust.
How it works
The transport changes. The security boundary does not.
Enter from the lock screen
Pairing and connection happen before the vault opens. Remote is an entry path, not a mode switch inside an active session.
Choose USB or network
USB is a separate wired path. On the network side, WebRTC is the primary channel and WSS relay is the deterministic fallback.
Unlock on the phone, open on the desktop
A ready transport is not enough. The desktop waits for unlock confirmation from the phone, then opens the remote dashboard. Browser traffic stays on localhost through Desktop Gateway.
Security boundaries
Noise on every path
No plaintext transport exists. USB, WebRTC, and WSS all require the same Noise secure channel.
Pre-auth boundary
Transport orchestration does not mix with an open vault. Pairing and connection happen before authentication.
Relay is transport, not trust
The WSS relay forwards opaque bytes. The extension talks only to Desktop Gateway on localhost — no direct connection to the phone.
Limits and prerequisites
Transport rollout is staged. These are the current boundaries and real constraints.
- Mobile MVP baseline is WSS Relay + Noise XX. WebRTC and USB are staged extensions — not parity guarantees across every platform today.
- USB is a separate transport. If the cable fails, the system does not silently fall back to a network path.
- Browser workflows require Desktop Gateway on localhost. The extension does not connect to the phone directly.
Keys on the phone, work on the desktop?
Start with a local vault, then decide if your workflow needs Remote, mounted storage, or a fully local setup.