Encryption and Security are deep, specialized areas for software, and we take them seriously. A key reason the Blocktrust Identity Wallet is still in the Alpha release phase is because of known issues in these areas. We will not release the Beta version of the Blocktrust Identity Wallet until we are confident that it is secure and reliable.

We wrote a blog article on June 15, 2023, describing the known security issues.

The primary issues are as follows:

1. Some data at rest is not encrypted.
   In the Alpha release, data is stored at rest using the chrome.storage.local API. This is difficult to access except via the extension. While it is more secure than window.localStorage, our use of it is not as secure as we would like. Some data is encrypted using AES, but some is not encrypted.
   Encrypted:
   For the user's identity and credential DIDs, the mnemonic seed phrase (used for derived keys for those DIDs) are encrypted using AES. The user's password is not directly stored, but a salted hash of the password is stored.
   Not Encrypted:
   Other information is stored in the clear (some encoded), including: Application State, Chat Messages, Contacts, Peer DID Secrets. Mediator Contacts, Preferences, Requests (Wallet/Website, Presentation, Verification), and Credentials.


2. Frequent backup required.
   The product design currently requires manual backup of data, depending on the level and type of user activity. Data generated from activity is not automatically stored redundantly and is therefore vulnerable to loss.

See the blog article for more details.