K's Vault removes your session cookies from the browser's native store and encrypts them with AES-256-GCM. Malware that dumps your cookie database gets nothing.
Infostealer malware copies your browser's cookie database and sends it to an attacker. They paste your session tokens into their browser and access your accounts — no password needed.
Cookies stored in cookies.sqlite as plaintext. Any process running as your user can read them. Stealers extract and exfiltrate in seconds.
Cookie store is empty for protected sites. Session tokens exist only inside AES-256-GCM encrypted blobs in the extension's IndexedDB. Stealers get useless ciphertext.
K's Vault sits between your browser and the server, handling encryption and decryption transparently on every request.
Log into a site normally, then click "Protect this site." K's Vault migrates existing cookies into the encrypted store and deletes the originals.
Each cookie is encrypted with a unique derived key using AES-256-GCM. New cookies from the server are intercepted, encrypted, and stripped before the browser can store them.
On every outgoing request, K's Vault decrypts cookies in memory for milliseconds, injects them into the request header, and the server receives a valid session.
Designed around real-world attack scenarios we encounter during security assessments.
Per-cookie key derivation using PBKDF2 + HKDF. 600K iterations. Non-extractable CryptoKeys via WebCrypto API.
One click or Ctrl+Shift+K destroys all encrypted data permanently. Configurable auto-wipe after failed password attempts.
Protects root domain and all subdomains with a single click. Cookies from sso.example.com and www.example.com are covered together.
No analytics, no network requests, no data collection of any kind. Everything stays on your device.
Configurable auto-lock timeout. Re-enter your password on browser start or at custom intervals.
Vanilla JavaScript, zero dependencies, no build tools. Every line is auditable. MIT licensed.
Vanilla JavaScript, WebCrypto API, IndexedDB. No frameworks, no dependencies, no supply chain risk.
Server sends Set-Cookie → webRequest intercepts → value encrypted with per-cookie HKDF key → stored in IndexedDB → header stripped. Browser never stores plaintext.
Request to protected domain → encrypted cookies read from IndexedDB → decrypted with master key → injected into Cookie header → server receives valid session.
Master password → PBKDF2 (600K iterations) → non-extractable CryptoKey. Each cookie gets a unique key via HKDF using domain + name + timestamp as context.
Compromising one cookie's key cannot reveal others. AAD binding prevents cross-domain tampering. Verification hash is cryptographically independent from encryption key.
Every permission is required for core functionality. None are used for data collection.
| Permission | Purpose |
|---|---|
| cookies | Read, encrypt, and migrate cookies for domains you choose to protect |
| webRequest | Intercept Set-Cookie response headers and Cookie request headers |
| webRequestBlocking | Modify headers synchronously before the browser processes them |
| <all_urls> | Operate on any domain you select — only activates for protected domains |
| storage | Save your settings locally (protected domains, preferences) |
| notifications | Alert you after an emergency wipe |
Last updated: February 2025
K's Vault collects no data. Specifically:
All data processing occurs entirely on your device:
All data is stored locally using IndexedDB (encrypted cookie blobs) and browser extension storage (configuration). No data is stored on external servers, cloud services, or any location outside your browser profile.
K's Vault does not integrate with, transmit data to, or receive data from any third-party services.
For questions about this privacy policy or K's Vault:
Website: kravex.ro
Email: contact@kravex.ro