Welcome to Consently

The origin of your personal digital data.
Maintain your data in a single place and manage who can access which data.

Disclaimer and known limitations (click to expand)
  • This is an early alpha preview. It is unaudited and NOT SECURE by any standard.
  • DO NOT enter any data you would not be comfortable posting in public.
  • Your user data (plain text and/or cipher) may be deleted at any time without notice.
  • The email address provided at registration is processed and stored in plain text.
  • While each secret's label and value are private and protected by design,
    Consently can still trace who shares which secret (anonymized by ID) with whom.
  • Hypothetically, a dishonest cloud provider could introspect Consently's virtual server's memory, and/or serve anything
    (including a malicious Consently clone) to an unsuspecting user. Eventually, Consently will have to move to a device-agnostic client.
  • The chosen re-encryption scheme (Umbral) is based on elliptic-curve cryptography and is therefore NOT post-quantum safe.
    (Post-quantum-safe re-encryption schemes are an active research field. Consently intends to upgrade once a suitable implementation is available.)
  • Similarly, the application-level E2EE of the request traffic is likewise based on elliptic-curve cryptography (WebCrypto ECDH P-256).
    This is considered acceptable for now (low priority to upgrade).
  • The global HTTPS traffic on the other hand, which wraps communication between your web client and the Consently server, is supposed to
    use a post-quantum safe key agreement (x25519mlkem768), provided using a modern browser (x25519 else - not post-quantum safe).
    This protects the most vulnerable stage of public key cryptography in a post-quantum safe manner (maybe, hopefully, allegedly, potentially).
  • Your user store containing your labels and secret keys is encrypted symmetrically (AES-GCM) on the client-side before being saved to the server,
    which is practically safe. BOTH your password AND salt file are absolutely required to decrypt your user store after fetching it from Consently.
  • Using the web client will, unavoidably, have the browser (and by extension the operating system) deal with secrets in plain text in and memory.
    Be sure to use a trustworthy personal device (phone, laptop, desktop), or boot your own live OS (like "Tails"), to access consently.online
    from a foreign device.

Check out the user manual on GitHub for usage and workflow.