About Coverta

Zero-Knowledge Architecture

Encryption happens entirely client-side using AES-256-GCM with keys derived via PBKDF2 (100k iterations). The server stores only encrypted blobs, nonces, and salts—all opaque without the key.

1. 1.Your content is encrypted in the browser.
2. 2.The server only stores encrypted content and cryptographic metadata.
3. 3.Decryption happens locally using a key that never leaves your device.

Key Transmission

When no passphrase is provided, a random secret is appended to the share URL as a fragment (#secret). URL fragments are never sent to servers—the decryption key stays between sender and recipient.

For additional security, use a custom passphrase communicated through a separate channel.

Ephemeral Content

• Expiration: Content auto-deletes after configurable period
• Burn after reading: Content destroyed immediately after first access
• Delayed availability: Content hidden until specified time

Authentication

Passwordless magic link authentication eliminates credential theft and phishing. All tokens are stored as SHA-256 hashes—database breach does not expose active sessions.

API keys available for programmatic access. Authentication is optional for content creation but required for content metadata management and audit logs.

Limitations

• Maximum payload: 10MB total (including attachments)
• Maximum expiration: 30 days
• Maximum files: 10 per content item
• Rate limiting applies to all endpoints

Disclaimer

Coverta provides encryption as a service. Users are responsible for sharing generated links to verified recipients and choosing appropriate passphrases. We recommend against sharing highly sensitive data (credentials, private keys, PII) without additional verification measures. Content availability depends on service uptime—do not use as primary storage.