About - Svart Security

How Svart Security Works

Svart Security is a suite of privacy and security tools designed to protect your digital life. Here's how each layer works together to keep you safe.

Create Your Account

Sign up with your email. A unique 64-character secret key is generated for you using AES-256-GCM cryptographic randomness with uppercase, lowercase, digits, and special characters. This key is your identity — it's never your password. You log in to the website and all apps using your email and password, not your secret key. Your password is hashed with Argon2 (GPU-resistant) and never stored in plain text. One account per network is enforced to prevent abuse.

Your secret key is always visible in your account dashboard (the same page where you change your username). This means your key could be compromised if someone gains access to your account. If your key is ever stolen, you can request a key reset — provide your email, password, and current key to prove ownership, then an admin reviews and issues a new one. There will never be a single ad in any Svart app or on the website — ever.

AES-256-GCM Encryption

All sensitive data in the Svart suite is encrypted using AES-256-GCM with PBKDF2 key derivation at 250,000 iterations. This is military-grade encryption — the same standard used by governments. Your data is encrypted on your device before it ever leaves. We cannot read it, even if we wanted to.

Svart Browser — Built-in Protection

A secure Chromium-based browser with built-in ad blocking and DNS privacy, designed for people who want real protection without the complexity. No extensions needed, no tracking — just privacy that works out of the box. Over 300 built-in ad filter lists (powered by uBlock Origin lists), DNS privacy splash on first launch to set up NextDNS, alias & forwarding email guidance for anonymous accounts, and a 30-minute session timeout (customisable). Dev mode is available for advanced users who want to install extensions. Optional Tor integration routes all traffic through Tor's onion network for maximum anonymity.

Svart AI — Encrypted Intelligence

AI chat, internet scraping, knowledge training, and document analysis — all AES-256-GCM encrypted. Your secret key generates a unique API key for your AI instance. This API key is random and only activates after you log in with your local password. The server cannot see or access your API key or your conversations. Svart AI requires an internet connection — it talks to cloud models behind the scenes and cannot run offline. Free tier gives you 750 premium requests/month with no credit card required — the exact same engine paid users get, with no feature locks.

SVART Passwords — Local Vault

A fully local password vault encrypted with AES-256-GCM. Built-in strong password generator, master password protection with Argon2 key derivation, and a duress wipe feature that destroys everything if you ever need it to. Auto-fill support for browser integration. Nothing is stored on our servers — your vault lives on your device, under your control. When you need a credential, SVART Passwords decrypts it in memory and clears it when you're done.

SVART Notes — Encrypted Notes

Secure note-taking with AES-256-GCM encryption at rest. Your notes are encrypted the moment you save them and never leave your device unencrypted. Local vault storage protected by your secret key, with markdown support, quick search across all notes, and completely offline operation — no cloud sync, no risk. Full-featured editor with syntax highlighting, export, and search — all running locally.

SVART Docs — Encrypted Documents

A rich-text document editor with AES-256-GCM encrypted storage. Format, search, and organise documents securely — everything stays on your machine. Rich text editing (bold, lists, headings), full-text search across all documents, and export to encrypted or plain formats. Protected by your secret key with no cloud, no sync, and no risk. Your documents never leave your device unencrypted.

SVART Chat — Encrypted Messaging

Self-hosted encrypted chat with X25519 key exchange and AES-256-GCM message encryption. You host the server wherever you want — your basement, a friend's place, anywhere. Your messages, your hardware. A build packager gives your server a unique ID to connect. Group chats with per-group encryption, completely decentralised architecture, and zero-knowledge design — we can't read your messages because we never have access to them.

Secure Email — Anonymous Communication

End-to-end encrypted email with temporary addresses and anonymous forwarding. Create throwaway emails for sign-ups or use persistent encrypted inboxes for real communication. No identity required to create an account. PGP-compatible encryption for interoperability with existing email providers, and self-destructing messages for conversations that shouldn't stick around.

File Encryption — Data Protection

Encrypt, decrypt, and securely manage your files with ease. AES-256 encryption with batch operations for handling multiple files at once, drag-and-drop support, and secure file shredding (overwrite + delete) so deleted files can't be recovered. Cross-platform and portable — no installation required. Protecting your files should be simple, so it is.

Privacy Checker — Privacy Audit

Scan and optimise your digital privacy settings across platforms. Multi-platform privacy scan with guided auto-fix tips for each issue found, browser privacy audit, social media exposure check, and continuous monitoring mode. Get a privacy score with improvement tracking so you can see exactly where you stand and what to fix.

VPN Service — Network Privacy

Ultra-fast VPN with a strict no-log policy and servers in privacy-friendly jurisdictions. Built-in kill switch ensures your real IP is never exposed if the VPN drops. Multi-device support for up to 5 devices, split tunnelling for selective routing, and DNS leak protection. Your connection, your privacy.

Zero Telemetry

Every Svart tool operates on a simple principle: we don't track you. No telemetry, no analytics, no usage stats, no crash reports. We don't know what pages you visit, what you type, or what you search. Your browsing, your notes, your passwords — they're all yours alone.

Cloudflare-Powered Infrastructure

Our website and authentication run on Cloudflare's global edge network. Serverless functions handle registration, login, and account management. KV storage holds account data. All connections are forced HTTPS. No origin server to attack — everything runs at the edge, close to you, with Cloudflare's DDoS protection.

🔐 Security & Setup

Every Svart app follows the same security model. Here’s exactly how your secret key, local passwords, and duress protection work — no secrets, no hidden processes.

🔑 Your Secret Key

When you create an account, a unique 64-character secret key is generated for you using AES-256-GCM cryptographic randomness. This key is your identity across all Svart apps.

aBc4!xK#mN7$pQ2&rS9*tU0-vW3_yZ5+eF6=gH8jL1dR@cXoI%iEwA^bDfYhJkM

Your secret key is not your password. You log in with your email and password — the secret key is a server-side identifier that links your account to your apps.

Your key is always visible in your account dashboard — the same page where you change your username. Because it’s stored there, your key could be compromised if someone gains access to your account. Your key can also be used to reset your account, so protecting your login is critical.

Each app uses your secret key to derive a unique API key for that specific app. The server validates your secret key but cannot see your local data, your local password, or your API key. The server only knows you’re a valid user — nothing more.

🔑 Key Reset (Admin-Verified)

If your secret key is compromised, you can request a key reset. You must provide your email, current password, and current secret key to prove you own the account. A unique reset code is generated from your credentials. An admin or moderator reviews and approves the request — then a new key is issued and your old key is immediately invalidated.

Sign Up You register with your email and password. The server generates your 64-character AES-256-GCM secret key and shows it on your dashboard.

Dashboard Your secret key is always available in your account settings (where you change your username). Save it somewhere safe as a backup.

Enter in App When you first open any Svart app, you enter your secret key. The app validates it with the server and activates.

Set Local Password After activation, you choose a local password. This password is hashed and saved locally — it never leaves your device.

🔒 Local Passwords & App Files

Every Svart app stores your password locally in the app’s own data files. The password is hashed with Argon2 (GPU-resistant, 250,000+ iterations) before being written to disk. The plain-text password is never stored anywhere.

When you open the app and type your password, the app hashes what you typed and compares it to the stored hash. If it matches, the app unlocks. If it doesn’t, access is denied.

Where is the password stored?

Each app keeps its own encrypted config file in its local data directory:

Windows: %APPDATA%\SvartApp\config.enc
macOS: ~/Library/Application Support/SvartApp/config.enc
Linux: ~/.config/svartapp/config.enc

The config file contains your hashed password, your encrypted data key, and your app settings — all encrypted with AES-256-GCM. The app reads this file on launch to verify your identity and decrypt your data. The server never sees this file.

Why local?

Storing your password locally means your password never touches a server. There is no central password database to breach. Even if someone compromised our server, they would have zero access to your local password or your encrypted data. Your device is the vault.

🚨 Duress Password (Distress Mode)

Every Svart app supports a duress password — a secondary password you set that, when entered instead of your real password, permanently deletes all your data.

How it works:

When setting up your app, you choose a regular password (unlocks the app normally) and a duress password (triggers data destruction)
Both passwords are hashed and stored in the app’s local config file
If you enter the duress password at the login screen, the app immediately and irreversibly deletes all local data — passwords, notes, conversations, keys, config files — everything
After deletion, the app resets to a clean first-launch state as if it was just installed
There is no confirmation prompt — the destruction is instant and silent

⚠️ This Is Irreversible

Entering the duress password permanently destroys all data stored by that app. There is no recovery, no backup, no undo. The data is overwritten and deleted from disk. This feature exists for situations where you are forced to unlock your device — entering the duress password gives the appearance of a fresh install while protecting your real data by destroying it.

The duress password is stored as a separate Argon2 hash in the same local config file. The app checks both hashes on login: one unlocks, the other destroys.

Security Model Summary

Login — you log in with your email and password, not your secret key
Secret key — generated once, visible in your dashboard, used to activate apps and can be used for account reset
Key compromise risk — because the key is in your dashboard, protect your account login; key reset is available (admin-verified)
Local password — hashed with Argon2, stored in the app’s config file, never leaves your device
Duress password — hashed alongside regular password, triggers instant data destruction
Encryption — AES-256-GCM with PBKDF2 key derivation, everything encrypted at rest
Server access — the server validates your secret key, but cannot see your password, your data, or your API key
No cloud backups — your data lives on your device, period
Zero ads — there will never be a single ad in any Svart app or on the website, on any plan, ever

🛡 NetworkGuardian

NetworkGuardian is Svart Security's autonomous protection layer. It exists to prevent abuse of our platform while respecting your privacy. Here's exactly how it works and what it can see.

🔒 What the Guardian Tracks

The Guardian tracks exactly two things, and nothing else:

Registration network hash — When you register, your IP address is hashed with SHA-256 and a salt, producing an irreversible identifier like net_a3f8b2c1e9d4.... The original IP is immediately discarded. Nobody — not even the admin — can reverse this hash back to your IP.
Account creation timestamp — The date and time you created your account.

The Guardian does NOT track logins, browsing, page visits, usage patterns, or anything else. Only registration.

🛡 What the Guardian Does

The Guardian performs three functions:

Duplicate account prevention — One account per network. The Guardian checks your network hash at registration to ensure you haven't already registered another account from the same network.
Network blocking — If a network is determined to be abusive (e.g., mass bot registrations), the Guardian can block that network hash from registering new accounts.
Illegal activity reports — If a user is reported for illegal activities, the Guardian can include the network hash and creation timestamp in a formal incident report for law enforcement.

🚫 What the Guardian Cannot Do

Cannot see your real IP address (it's hashed and discarded)
Cannot track what you browse, search, or type
Cannot read your encrypted data, notes, or passwords
Cannot monitor your login activity
Cannot identify you personally from the network hash
Cannot share data with third parties (there's nothing to share)

🔐 Admin Access

Only the site administrator (admin@svartsecurity.org, with the admin role) can access Guardian enforcement controls. Moderators cannot access enforcement. The admin can:

Block or unblock a network hash (they see net_a3f8b2..., never a real IP)
Block abusive URLs from Svart services
View enforcement statistics (counts only, no personal data)
Review and escalate violation reports with specific law references

⚠️ Available Evidence for Reports

When a report is escalated to law enforcement, the only data available is:

Registration network hash (SHA-256, irreversible)
Account creation date and time

That's it. No IP addresses, no browsing history, no message content, no usage data. Law enforcement would need to subpoena the ISP with the relevant timeframe, not us — because we don't have the data.

Law Violation Categories

Reports filed through the Guardian can reference specific laws. These are the categories available for formal incident reports. General piracy (media, music, film) is not included — only distribution of commercial software is covered.

Unauthorized Access

Computer Misuse Act 1990 (UK) • CFAA 18 U.S.C. § 1030 (US)

Unauthorized access to computer systems, exceeding authorized access, or impairing computer operation.

Fraud

Fraud Act 2006 (UK) • 18 U.S.C. § 1343 Wire Fraud (US)

False representation, possession of articles for fraud, wire fraud schemes.

Identity Theft

Fraud Act 2006 / Identity Documents Act 2010 (UK) • 18 U.S.C. § 1028 (US)

Using another person's identity or creating false identity documents for fraudulent purposes.

Data Protection

GDPR (EU) 2016/679 • Data Protection Act 2018 (UK)

Unlawful processing, data breaches, re-identification of de-identified data.

Child Exploitation / CSAM

Protection of Children Act 1978 (UK) • 18 U.S.C. §§ 2251-2260A (US)

Any involvement with child sexual abuse material. Immediate law enforcement referral required.

Harassment / Cyberstalking

Protection from Harassment Act 1997 (UK) • 18 U.S.C. § 2261A (US)

Online harassment, stalking, or malicious communications causing distress.

Terrorism

Terrorism Act 2000/2006 (UK) • 18 U.S.C. § 2339A/B (US)

Encouragement, preparation, or material support of terrorism. Immediate referral required.

Money Laundering

Proceeds of Crime Act 2002 (UK) • 18 U.S.C. §§ 1956-1957 (US)

Concealing, converting, or transferring criminal property.

Software Piracy (Distribution Only)

CDPA 1988 ss.107-110 (UK) • NET Act 17 U.S.C. § 506 (US)

Distributing or sharing commercial software without authorization. This covers software distribution only — not media, music, or film.

Malware & DDoS

CMA 1990 s.3/3A (UK) • 18 U.S.C. § 1030(a)(5) (US)

Creating, distributing malware/ransomware, or launching denial-of-service attacks.

Phishing

Fraud Act 2006 / CMA 1990 (UK) • CAN-SPAM Act / CFAA (US)

Fake websites or communications designed to steal credentials or personal information.

Threats & Extortion

OAPA 1861 / Theft Act 1968 (UK) • 18 U.S.C. § 873 (US)

Threats of violence, blackmail, ransomware extortion, or sextortion.

Hate Crime / Incitement

Public Order Act 1986 / Racial and Religious Hatred Act 2006 (UK)

Stirring up racial, religious, or sexual orientation hatred online.

Trade Secret Theft

Trade Secrets Regulations 2018 (UK) • 18 U.S.C. §§ 1831-1839 (US)

Unlawful acquisition, use, or disclosure of trade secrets or economic espionage.

Our Principle

We protect people. We do not protect crimes. Your privacy is absolute for all lawful use. But if someone uses our platform to commit serious crimes — child exploitation, terrorism, fraud — we will cooperate with law enforcement using the limited data we have. We believe this is the right balance: maximum privacy, minimum complicity.