ApplicationSecurity Architecture
Understanding how Fynlink protects your data with end-to-end encryption
We use a battle-tested encryption architecture widely adopted in many end-to-end encrypted applications. Your link data including short URL, target URL, tags, title & notes are encrypted on your device before being sent to our servers.
Encryption Fundamentals
Master Key
When you sign up for Fynlink, your browser client will generate a masterKey
for you. This never leaves your device unencrypted.
Key Encryption Key
A keyEncryptionKey
is derived from your password and this will never leave your device.
Application Flow
Registration
During registration, your masterKey
is encrypted with your keyEncryptionKey
and the resultant encryptedMasterKey
is sent to our servers.
Login
During login, when you enter the password, the keyEncryptionKey
is derived from it. After successful login, our servers give you back the encryptedMasterKey
. The masterKey
will be derived by decrypting the encryptedMasterKey
with the keyEncryptionKey
.
Link Encryption Fundamentals
User Key Pairs
A key pair is generated for you when you register. The userPublicKey
is stored on our servers as plain text and the userPrivateKey
never leaves your device unencrypted. The userPrivateKey
is encrypted with the masterKey
and stored in our servers.
Team Key Pairs
When you create a team, a key pair is generated for your team. The teamPrivateKey
is encrypted with your userPublicKey
and stored in our servers. The teamPublicKey
is stored as plain text on our servers.
Link Key
A random linkKey
is generated for each link you create. This key is used to encrypt the link data. It never leaves your device unencrypted, and is encrypted with the teamPublicKey
and is sent to our servers.
Implementation Details
Link Creation Flow
Encryption Process
- 1The short URL, target URL, tags, title & notes are encrypted with a randomly generated
linkKey
- 2The
linkKey
is encrypted with theteamPublicKey
- 3A hash of the short URL is created, and the target URL is encrypted with a key derived from the short URL. The hashed short URL is encrypted with a searchable field-level encryption algorithm.
- 4All encrypted data is stored securely on our servers
Viewing A Link
Fetch encrypted link data, encryptedLinkKey
, encryptedUserPrivateKey
, and encryptedTeamPrivateKey
Decrypt userPrivateKey
using masterKey
Decrypt teamPrivateKey
using userPrivateKey
Decrypt linkKey
using teamPrivateKey
Finally, decrypt the link data using linkKey
Redirection Flow
When a short URL is accessed, our redirection service searches for its encrypted hash in the database. Remember, the hash is encrypted with a searchable field-level encryption algorithm.
Upon finding a match, the encrypted targetURL
and metadata
are retrieved.
A decryptionKey
is derived from the actual shortURL
to decrypt the targetURL
.
If metrics are enabled, essential data (country code, browser, referral host, device type) is aggregated and processed with randomized timestamps (±5 seconds).
The data is cached for quick access (6 hours minimum or until expiry, whichever is lower), and the user is redirected to the target URL.
Cryptographic Implementation
Key Operations
Key Generation
Uses crypto_secretbox_keygen
for generating all random keys (masterKey
, recoveryKey
, linkKey
)
Key Derivation
Implements crypto_pwhash
with Argon2id for deriving keyEncryptionKey
Key Pair Generation
Utilizes crypto_box_keypair
for generating user and team key pairs
Encryption Methods
Symmetric Encryption
Uses crypto_secretbox_easy
(XSalsa20 cipher with Poly1305 MAC)
Asymmetric Encryption
Implements crypto_box_seal
with X25519 key exchange
Database Encryption
Employs CipherSweet for searchable field-level encryption and AES-256-CBC for sensitive data