Desktop Integration Security

How Passwall Extension and Passwall Desktop communicate securely via native messaging, how long sessions work, and what data boundaries are enforced.

Why native messaging is used
Native messaging creates a secure local bridge between browser extension and desktop app.

Browser extensions cannot directly access OS-protected key stores (for example macOS Keychain, Windows DPAPI, or Linux Secret Service). Passwall Desktop acts as the trusted local component that talks to the OS and exposes only minimal key-related operations to the extension.

  • Extension sends request over browser native messaging API.
  • Desktop host validates extension origin against allowlist.
  • Desktop can read encrypted key blob from OS-secured storage.
  • Sensitive responses are returned through encrypted IPC session.
How long sessions are maintained
Session continuity is achieved without storing master password.
  1. After successful unlock/login, a user key is stored in desktop secure storage.
  2. On extension startup, it attempts a secure handshake with desktop.
  3. If authorized and desktop is unlocked, extension retrieves the user key through encrypted IPC.
  4. Extension restores active session from that key without asking master password again.
  5. When the desktop is locked, desktop notifies extension and extension clears in-memory/session key material.

The master password is never required for persistence operations and is not written to disk by this flow.

Security controls in this channel
Multiple layers protect against unauthorized access and local abuse.
Identity and origin checks
  • Allowlisted extension IDs only
  • Unauthorized origins rejected immediately
  • Strict native message schema checks
Encrypted IPC session
  • Ephemeral ECDH P-256 handshake
  • AES-256-GCM payload protection
  • Monotonic nonces for replay protection
Key storage boundaries
  • Key blobs encrypted via Electron safeStorage
  • OS account bound decryption (Keychain/DPAPI/Secret Service)
  • No plaintext key files on disk
Runtime hardening
  • Desktop lock events invalidate extension session key
  • Request timeout and backpressure limits
  • Paired-browser metadata validation and size caps
Data privacy boundaries
What this integration does and does not access.

Native messaging is not used to read webpage content.

It does not send browsing history, keystrokes, or tab content to Passwall Desktop.

The channel is dedicated to key retrieval/status signals and is separate from normal vault API traffic.

If connection fails
Typical causes and recovery steps.
  • Desktop app is not running.
  • Native host manifest missing or stale.
  • Extension ID not in desktop allowlist.
  • Desktop is locked and secure key access is paused.
At a glance
Security promises of this integration.
Local-only bridge
Extension talks to desktop on the same machine.
OS-backed key protection
Key material remains protected by OS security services.
Encrypted IPC
Handshake + AEAD channel for key-related responses.
Related docs
Security Model
Getting Started
Support Center

Made in Europe

Privacy by default