Skip to content

Key Isolation

Key isolation is the mechanism that lets Volidator’s dashboard server serve your encrypted logs to a browser without ever receiving the decryption key.

The embed URL for the dashboard widget looks like this:

https://dash.volidator.com/embed/{jwt_token}#{encryption_key}

Everything after the # is the hash fragment. Browsers follow RFC 7230 and RFC 7231: the hash fragment is never included in HTTP requests. When the browser loads this URL, it sends:

GET /embed/{jwt_token} HTTP/1.1
Host: dash.volidator.com

The #{encryption_key} part is processed only by client-side JavaScript using window.location.hash. It is never transmitted to the server.

The dashboard server receives the JWT token and uses it to:

  1. Verify the token signature against the project’s clientSecret.
  2. Extract the actor’s blind index from the token payload.
  3. Query the D1 database for encrypted log rows matching that blind index.
  4. Return the ciphertext rows as JSON.

At no point does the server see or store the decryption key.

The browser’s LogTableClient component reads window.location.hash on mount, strips the leading #, and uses the Web Crypto API to decrypt each row:

const key = await crypto.subtle.importKey(
'raw',
sha256(window.location.hash.slice(1)),
{ name: 'AES-GCM' },
false,
['decrypt'],
);

The IV is the first 12 bytes of each ciphertext row (prepended by the SDK at log time).

  • If Volidator’s server is compromised, the attacker gets ciphertext and no key.
  • If the embed URL is intercepted in transit (e.g. in a proxy log), the hash fragment is not present in the HTTP request, so the key is not exposed.
  • The key is exposed if the full URL (including fragment) is leaked through copy-paste, browser history sharing, or an insecure referrer header. Treat embed URLs as secrets.