What is Web Crypto API?
The Web Crypto API is a W3C standard that provides a JavaScript interface to a suite of cryptographic primitives — including encryption, decryption, key generation, hashing, and signing — implemented natively in the browser.
Before the Web Crypto API, web applications that needed cryptography had to rely on JavaScript libraries that implemented algorithms from scratch. These libraries were slow (running in the JavaScript interpreter), potentially vulnerable to timing attacks, and could not leverage hardware cryptographic accelerators present in modern CPUs.
The Web Crypto API solves these problems by exposing the browser's native cryptographic engine to JavaScript. Operations like AES encryption, key generation, and PBKDF2 key derivation run as compiled native code, benefiting from constant-time implementations (resistant to timing side-channels) and hardware acceleration via AES-NI instructions on modern processors.
The API is asynchronous by design — all operations return Promises rather than blocking the main thread. CryptoKey objects created by the API are opaque by default and cannot be extracted from memory unless explicitly marked as exportable, adding an additional layer of protection against accidental key leakage.
How Vaulted uses Web Crypto API
Vaulted relies exclusively on the Web Crypto API for all cryptographic operations. It uses crypto.subtle.generateKey to create AES-256-GCM keys, crypto.subtle.encrypt and decrypt for the actual encryption, and crypto.subtle.deriveKey with PBKDF2 when a passphrase is used. By depending solely on browser-native cryptography, Vaulted avoids third-party crypto library dependencies and benefits from hardware-accelerated, constant-time implementations.