What is Nonce?

If you encrypt the same plaintext with the same key and no nonce, you get identical ciphertext every time. An attacker observing multiple messages could detect patterns — identical ciphertexts reveal that the same message was sent, even without decrypting it. A nonce eliminates this problem by introducing a unique value into each encryption operation, ensuring that the same plaintext encrypted with the same key always produces different ciphertext.

The security requirements for nonces vary by algorithm. Some algorithms (like AES-GCM) require that a nonce is never reused with the same key — reuse can catastrophically compromise both confidentiality and authentication. For these algorithms, random nonces must be large enough to make accidental collision negligibly unlikely. A 96-bit random nonce (as used in AES-GCM) provides sufficient collision resistance for up to approximately 2^32 encryptions under a single key.

Nonces appear throughout cryptographic protocols under different names. In AES-GCM they are called initialization vectors, in challenge-response authentication they are challenges, and in blockchain they are mining nonces. The common thread is uniqueness: the value must not repeat within the context where it is used.

How Vaulted uses Nonce

Every secret encrypted with Vaulted uses a unique 12-byte (96-bit) random nonce, generated by the Web Crypto API's cryptographically secure random number generator. This nonce serves as the initialization vector for AES-256-GCM encryption. It is stored alongside the ciphertext on the server and transmitted to the recipient for decryption. Because each secret uses a freshly generated key and nonce pair, nonce reuse is not a practical concern even at scale.