ApplicationSecurity Architecture

Understanding how Fynlink protects your data with end-to-end encryption

We use a battle-tested encryption architecture widely adopted in many end-to-end encrypted applications. Your link data including short URL, target URL, tags, title & notes are encrypted on your device before being sent to our servers.

Encryption Fundamentals

Master Key

When you sign up for Fynlink, your browser client will generate a masterKey for you. This never leaves your device unencrypted.

Key Encryption Key

A keyEncryptionKey is derived from your password and this will never leave your device.

Application Flow

Registration

During registration, your masterKey is encrypted with your keyEncryptionKey and the resultant encryptedMasterKey is sent to our servers.

Login

During login, when you enter the password, the keyEncryptionKey is derived from it. After successful login, our servers give you back the encryptedMasterKey. The masterKey will be derived by decrypting the encryptedMasterKey with the keyEncryptionKey.

Link Encryption Fundamentals

User Key Pairs

A key pair is generated for you when you register. The userPublicKey is stored on our servers as plain text and the userPrivateKey never leaves your device unencrypted. The userPrivateKey is encrypted with the masterKey and stored in our servers.

Team Key Pairs

When you create a team, a key pair is generated for your team. The teamPrivateKey is encrypted with your userPublicKey and stored in our servers. The teamPublicKey is stored as plain text on our servers.

Link Key

A random linkKey is generated for each link you create. This key is used to encrypt the link data. It never leaves your device unencrypted, and is encrypted with the teamPublicKey and is sent to our servers.

Link Creation Flow

Encryption Process

  • 1The short URL, target URL, tags, title & notes are encrypted with a randomly generated linkKey
  • 2The linkKey is encrypted with the teamPublicKey
  • 3A hash of the short URL is created, and the target URL is encrypted with a key derived from the short URL. The hashed short URL is encrypted with a searchable field-level encryption algorithm.
  • 4All encrypted data is stored securely on our servers

Viewing A Link

1

Fetch encrypted link data, encryptedLinkKey, encryptedUserPrivateKey, and encryptedTeamPrivateKey

2

Decrypt userPrivateKey using masterKey

3

Decrypt teamPrivateKey using userPrivateKey

4

Decrypt linkKey using teamPrivateKey

5

Finally, decrypt the link data using linkKey

Redirection Flow

1

When a short URL is accessed, our redirection service searches for its encrypted hash in the database. Remember, the hash is encrypted with a searchable field-level encryption algorithm.

2

Upon finding a match, the encrypted targetURL and metadata are retrieved.

3

A decryptionKey is derived from the actual shortURL to decrypt the targetURL.

4

If metrics are enabled, essential data (country code, browser, referral host, device type) is aggregated and processed with randomized timestamps (±5 seconds).

5

The data is cached for quick access (6 hours minimum or until expiry, whichever is lower), and the user is redirected to the target URL.

Cryptographic Implementation

Key Operations

Key Generation

Uses crypto_secretbox_keygen for generating all random keys (masterKey, recoveryKey, linkKey)

Key Derivation

Implements crypto_pwhash with Argon2id for deriving keyEncryptionKey

Key Pair Generation

Utilizes crypto_box_keypair for generating user and team key pairs

Encryption Methods

Symmetric Encryption

Uses crypto_secretbox_easy (XSalsa20 cipher with Poly1305 MAC)

Asymmetric Encryption

Implements crypto_box_seal with X25519 key exchange

Database Encryption

Employs CipherSweet for searchable field-level encryption and AES-256-CBC for sensitive data

E2EE
Your link data is encrypted, even before leaving the browser & can be decrypted only by you.
< 200ms
Average link redirection time, depends mainly on location of the end user.
99.9%
Uptime guarantee
275+
For quick, uninterrupted URL redirection, our redirection service is available on all major cities worldwide.