← Back to overview

Secret Structure

May 22, 2016

Secret is a key, used to identify sync folders, perform encryption and peer discovery.

General Secret structure

Each Secret consists of four components:

Name Secret type Param Payload Checksum
Length 1 1 variable 1

Secret may only contain Base58 characters, compatible with Bitcoin Base58 dictionary:


Secret type

The secret can be one of the following types:

  • A – Owner Secret. This Secret has read-write permissions. Generated by Librevault client.
  • C – Read-only Secret. Can be derived from “A”-type Secret.
  • D – Download-only Secret. It is capable only for exchanging and storing encrypted data. Cannot decrypt filenames, content or cryptographic metadata. Can be derived from “A” or “B” type Secret.


Param is a Base58 character, containing a reserved value, used by Librevault clients. It is intended to be used as an extension point in Secret. It may affect processing of Payload in some way and may have various meanings:

  • 1 – no special meaning
  • 2–z – invalid value


Checksum is a check-character, computed using Luhn mod 58 algorithm using Base58 as a code-point mapping. It is computed from Base58-encoded Payload.


Payload is a most comlicated part. It is encoded using Base58 algorithm and is dependent on Secret type and Param. Base58-decoded payload (binary payload) contains:

  • Secret type A – Private key.
  • Secret type C – Public key with Hash of the private key concatenated to it.
  • Secret type D – Public key.

Public key crypto: ECC with secp256r1 curve now, but we should consider switching to ed25519 instead (and using Param for distinguishing between them). EC Public keys are in compressed point form.

Hash function: SHA-3.

Folder identifier

Clients use a special unique binary value to find each other over the network without leaking the key. It is computed as a hash value of public key (as in decoded Payload). The hash algorithm must be the same as the algorithm, used by Secret. Folder identifier has no defined readable encoding and it is meant to be public and safe for publishing to trackers, the local network and the DHT.