lumbda

three tiers, persistent sessions

unlock

type a password to unlock or create a vault. every keystroke and transcript line stays inside your browser — nothing leaves this tab.

how the encryption works

your password is run through PBKDF2 (200,000 iterations, SHA-256) with a random 32-byte salt generated once per device and stored in localStorage.
that derives an AES-GCM 256-bit key. all transcripts are encrypted with this key before any localStorage.setItem() call.
the vault id is SHA-256(password || salt) — different passwords on the same device address completely independent vaults. wrong password = decryption fails, you don't see other vaults' contents.
same protocol as unsandbox's vault design, implemented on the native crypto.subtle API instead of a shipped CryptoJS bundle. source: crypto.js.
passwords are never sent anywhere — not to lumbda.com, not to a backend, not to a worker. nothing to leak in transit because nothing transits.
ephemeral skips the vault entirely — nothing is written to disk; closing the tab loses everything. use this on a shared machine when persistence would be a footgun.