ApplicationSecurity Architecture
Understanding how Fynlink protects your data with end-to-end encryption
We use a battle-tested encryption architecture widely adopted in many end-to-end encrypted applications. Your link data including short URL, target URL, tags, title & notes are encrypted on your device before being sent to our servers.
Encryption Fundamentals
Master Key
When you sign up for Fynlink, your browser client will generate a masterKey for you. This never leaves your device unencrypted.
Key Encryption Key
A keyEncryptionKey is derived from your password and this will never leave your device.
Application Flow
Registration
During registration, your masterKey is encrypted with your keyEncryptionKey and the resultant encryptedMasterKey is sent to our servers.
Login
During login, when you enter the password, the keyEncryptionKey is derived from it. After successful login, our servers give you back the encryptedMasterKey. The masterKey will be derived by decrypting the encryptedMasterKey with the keyEncryptionKey.
Link Encryption Fundamentals
User Key Pairs
A key pair is generated for you when you register. The userPublicKey is stored on our servers as plain text and the userPrivateKey never leaves your device unencrypted. The userPrivateKey is encrypted with the masterKey and stored in our servers.
Team Key Pairs
When you create a team, a key pair is generated for your team. The teamPrivateKey is encrypted with your userPublicKey and stored in our servers. The teamPublicKey is stored as plain text on our servers.
Link Key
A random linkKey is generated for each link you create. This key is used to encrypt the link data. It never leaves your device unencrypted, and is encrypted with the teamPublicKey and is sent to our servers.
Implementation Details
Link Creation Flow
Encryption Process
- 1The short URL, target URL, tags, title & notes are encrypted with a randomly generated
linkKey - 2The
linkKeyis encrypted with theteamPublicKey - 3A hash of the short URL is created, and the target URL is encrypted with a key derived from the short URL. The hashed short URL is encrypted with a searchable field-level encryption algorithm.
- 4All encrypted data is stored securely on our servers
Viewing A Link
Fetch encrypted link data, encryptedLinkKey, encryptedUserPrivateKey, and encryptedTeamPrivateKey
Decrypt userPrivateKey using masterKey
Decrypt teamPrivateKey using userPrivateKey
Decrypt linkKey using teamPrivateKey
Finally, decrypt the link data using linkKey
Redirection Flow
When a short URL is accessed, our redirection service searches for its encrypted hash in the database. Remember, the hash is encrypted with a searchable field-level encryption algorithm.
Upon finding a match, the encrypted targetURL and metadata are retrieved.
A decryptionKey is derived from the actual shortURL to decrypt the targetURL.
If metrics are enabled, essential data (country code, browser, referral host, device type) is aggregated and processed with randomized timestamps (±5 seconds).
The data is cached for quick access (6 hours minimum or until expiry, whichever is lower), and the user is redirected to the target URL.
Cryptographic Implementation
Key Operations
Key Generation
Uses crypto_secretbox_keygen for generating all random keys (masterKey, recoveryKey, linkKey)
Key Derivation
Implements crypto_pwhash with Argon2id for deriving keyEncryptionKey
Key Pair Generation
Utilizes crypto_box_keypair for generating user and team key pairs
Encryption Methods
Symmetric Encryption
Uses crypto_secretbox_easy (XSalsa20 cipher with Poly1305 MAC)
Asymmetric Encryption
Implements crypto_box_seal with X25519 key exchange
Database Encryption
Employs CipherSweet for searchable field-level encryption and AES-256-CBC for sensitive data