All Announcements

How End-to-End Encryption Protects Your Capsules

Understanding MissCaps Encryption

MissCaps uses end-to-end encryption to ensure that only you and your designated recipients can read your capsule content. This article explains how it works in plain language.

The Three-Layer Model

1. Content Encryption (AES-256-GCM)

When you create a capsule, the app generates a random 256-bit Content Encryption Key (CEK). Your capsule's text, images, and videos are encrypted with this key using AES-256-GCM — a military-grade symmetric cipher.

The encrypted content (ciphertext) is uploaded to our servers. Without the CEK, the ciphertext is mathematically unreadable.

2. Key Wrapping (RSA-2048)

The CEK itself is encrypted (wrapped) with your RSA-2048 public key. Your RSA key pair is generated on your device when you set your Privacy PIN. The private key is encrypted with your PIN and stored locally.

This means:

  • The server stores the wrapped CEK (encrypted with your public key)
  • Only your private key can unwrap the CEK
  • Only your Privacy PIN can decrypt your private key

Result: Zero-knowledge. We cannot decrypt your capsules because we don't have your private key or PIN.

3. Recipient Access (PBKDF2 Answer Derivation)

Each recipient has a security question. Their answer is used to derive a key via PBKDF2-SHA256 (100,000 iterations). This derived key encrypts a copy of the CEK specifically for that recipient.

When the recipient claims the capsule:

  1. They answer the security question
  2. The app derives the key from their answer
  3. The derived key unwraps the CEK
  4. The CEK decrypts the capsule content

The answer never leaves their device in plaintext. We store only a validation hash to verify correctness.

Blockchain Proof

After encryption, the app computes a SHA-256 fingerprint of your capsule (title + content + file hashes). This fingerprint is written to the Solana blockchain as a Memo transaction.

Recipients can independently verify that:

  • The capsule content matches the blockchain fingerprint
  • The fingerprint was recorded before the capsule was triggered
  • No one (including us) has tampered with the content

What We Cannot Do

Because of this architecture:

  • We cannot read your capsule content (we don't have your private key)
  • We cannot reset your Privacy PIN (it's not stored on our servers)
  • We cannot modify your capsules without detection (blockchain proof)
  • We cannot decrypt recipient content (we don't have their answers)

Trade-Offs

This level of security comes with trade-offs:

  • If you forget your Privacy PIN, your capsules are permanently inaccessible. There is no recovery mechanism.
  • If a recipient forgets their answer, they cannot claim the capsule. Choose memorable questions.
  • Server-side search is impossible because we can't read your content. All search happens on your device after decryption.

Learn More

For technical details, see our Features page or read the open-source documentation.

Questions? Email us at security@misscaps.com.

Back to Announcements