The threat model, in plain English.

Public reposare stored as plaintext — same as any other forge. Anyone can clone or browse them. We don't track who reads what.

Private reposare end-to-end encrypted. The server holds ciphertext objects + per-collaborator wrapped keys it can't unwrap. Everything below applies to private repos.

When you sign up, your browser generates a P-256 ECDH keypair. The public key is uploaded to Siphr. The private key is encrypted with a key derived from your passphrase (PBKDF2-SHA256, 600,000 iterations) using AES-GCM and stored in your browser. We never see the passphrase or the unwrapped private key.

Every repo has its own random 256-bit symmetric key (the “repo key”). For each collaborator the repo key is wrapped via ECDH with their public key plus an ephemeral keypair, producing a self-contained blob the server stores but can't open.

Adding a collaborator means wrapping the repo key for their public key. Removing one means rotating the key and re-encrypting changed objects forward.

Blobs, trees, and commits are encrypted with the repo key using AES-256-GCM (fresh nonce per object) before they leave your machine. The server sees object IDs and ciphertext. It doesn't see filenames, file contents, commit messages, or author info inside the encrypted commit object.

All happen client-side. Your browser pulls down the ciphertext it needs, decrypts with the repo key it already holds, runs the operation, encrypts the result, and pushes it back. The server is a dumb store.

Usernames are ASCII-only A-Z a-z 0-9 _ - so Unicode lookalike attacks (Cyrillic а in microsoft) can't even get registered.

On top of that, well-known orgs and individuals get a verified badge. The badge means Siphr confirmed out-of-band that the holder of this account is who they claim. Before adding someone as a collaborator on a private repo, also verify their public key fingerprinton their profile out-of-band — that's the actual key the repo key gets wrapped to.

If you lose your passphrase, your private repos are gone. We can't recover them — that's the same property that means we can't hand them over either. We'd rather build a real recovery flow than a backdoor.