# Frequently Asked Questions (FAQ) ## General Questions ### What is CQRIT? CQRIT is a client-side, post-quantum encryption system for securing personal data. The key innovation: **keys are never stored**. They are derived from your memory at runtime. **Use cases:** Crypto wallets, passwords, family documents, sensitive files, business secrets. --- ### How is this different from 1Password, LastPass, or Bitwarden? | Feature | Traditional Password Managers | CQRIT | |---------|------------------------------|-------| | Master key storage | Encrypted file on disk | Never stored (derived from memory) | | Quantum resistance | Some use RSA/ECC (vulnerable) | CRYSTALS-Kyber (quantum-safe) | | Server trust | Trusts server/cloud provider | Zero trust (client-side only) | | Key recovery | Company can reset | Social recovery (no company backdoor) | | Coercion resistance | Master password reveals all | Optional high-threshold recovery makes coercion pointless | **Summary:** CQRIT never stores keys. Traditional managers encrypt a master key file. If that file is compromised (or company breached), your data may be at risk. --- ### Is this just a password manager? No. CQRIT can store: - Passwords - Crypto private keys - Files (documents, photos) - Notes - Credit card numbers - Any sensitive text or files It's a **universal encryption system**, not just passwords. --- ### Do I need to install anything? **Web app:** No installation. Works in browser (Chrome, Firefox, Safari, Edge). **Mobile app:** (Future) iOS/Android apps for better integration. --- ### Does this work offline? **Yes.** CQRIT is designed to work **100% offline**. - Encryption/decryption happens client-side (no network required) - Data stored locally (IndexedDB or file system) - Optional cloud sync for multi-device (but not required) --- ### What does "post-quantum" mean? **Post-quantum cryptography** is designed to resist attacks from future quantum computers. **Traditional encryption (RSA, ECC):** Vulnerable to quantum computers using Shor's algorithm. **CQRIT (CRYSTALS-Kyber):** Resistant to quantum attacks. **Why it matters:** Data encrypted today with RSA could be decrypted in 10-20 years when quantum computers exist. CQRIT protects against that future threat. --- ## Security Questions ### Where are my keys stored? **Nowhere.** That's the point. Keys are derived from your memory inputs at runtime. When you log out, the key is wiped from memory. Next time you log in, the key is regenerated from the same memory inputs. **Benefits:** - No key file to protect - No database to hack - No backup/recovery of key files --- ### What if I forget my memory inputs? **Without social recovery:** Data is lost forever. There is no backdoor. **With social recovery:** You can reconstruct your key with help from M-of-N guardians (e.g., 3 of 5 friends/family). **Recommendation:** Set up social recovery for important data. See: [Social Recovery](recovery.md) --- ### Can CQRIT employees decrypt my data? **No.** Even if we wanted to, we cannot. - Data encrypted on your device - Keys never sent to server - Even full database dump reveals only ciphertext **This is zero-knowledge encryption.** --- ### What happens if CQRIT shuts down? **Your data is safe.** - Encryption code is open-source - You can run it locally forever - Data is encrypted locally (not dependent on CQRIT servers) - You own your data **Even if CQRIT ceases to exist, you can still decrypt your data.** --- ### Is this audited? **Current status:** Code is open-source (available for community review). **Future:** Third-party security audits planned. **You can audit it yourself:** All cryptographic code is public. --- ### What if there's a bug in the code? **Transparency:** All code is open-source. Bugs are public. **Updates:** We monitor CVEs and patch quickly. **Defense-in-depth:** Multiple layers of encryption (CRYSTALS-Kyber + AES-256 + PQXDH). **Risk:** Like all software, bugs are possible. Use at your own risk. --- ### Can this be hacked? **Strong defenses:** - ✅ Server breach: Cannot decrypt (keys not on server) - ✅ Quantum computer: Resistant (CRYSTALS-Kyber) - ✅ Man-in-the-middle: Authenticated encryption (GCM) **Weak defenses:** - ⚠️ Device malware: Can steal keys during use - ⚠️ Phishing: User might enter inputs on fake site - ⚠️ Weak inputs: User chooses "password123" (brute-forceable) **See full threat model:** [Threat Model](threat-model.md) --- ### What if someone tortures me for my password? **Without high-threshold recovery:** You will reveal memory inputs. Attacker decrypts data. **With high-threshold recovery (e.g., 10-of-10):** You cannot decrypt alone. Even if you cooperate, attacker needs all 10 guardians (across 10 countries). Torture becomes pointless. **See:** [Coercion Resistance](coercion.md) --- ### Is this anonymous? **CQRIT does not link your data to your identity.** But: - Network metadata (IP address) may reveal who you are - If you sync to cloud, cloud provider may log your IP - CQRIT is not Tor or a VPN **For full anonymity:** Use CQRIT over Tor. --- ## Technical Questions ### What algorithms does CQRIT use? **Post-quantum key encapsulation:** - CRYSTALS-Kyber (NIST PQC winner) **Symmetric encryption:** - AES-256-GCM (authenticated encryption) **Key derivation:** - Argon2id (preferred) or PBKDF2 **Hashing:** - SHA-256 **Key exchange:** - PQXDH (hybrid classical + post-quantum) **See:** [Cryptography Details](crypto.md) --- ### Why CRYSTALS-Kyber? **Reasons:** 1. NIST selected it as PQC standard (2022) 2. Based on hard math problem (MLWE) resistant to quantum computers 3. Open-source, audited, peer-reviewed 4. Efficient (fast even in browser) **Alternatives considered:** NTRU, Classic McEliece, SIKE (broken - we avoided this) --- ### Is AES-256 quantum-safe? **Yes.** AES-256 is symmetric encryption. Quantum computers only threaten asymmetric encryption (RSA, ECC). **Grover's algorithm:** Reduces AES-256 to effective 128-bit security (still secure). --- ### What is PQXDH? **PQXDH = Post-Quantum Extended Diffie-Hellman** Hybrid key exchange combining: - Classical X25519 (elliptic curve) - Post-quantum CRYSTALS-Kyber **Why hybrid?** - If Kyber is broken, X25519 still protects - If X25519 is broken (quantum), Kyber protects **Defense-in-depth.** --- ### Why Rust/WebAssembly? **Performance:** Crypto operations are faster in Rust than JavaScript. **Security:** Memory safety (Rust prevents buffer overflows, use-after-free, etc.). **Fallback:** If WASM unavailable (old browsers), falls back to JavaScript libraries. --- ### Does this work in all browsers? **Modern browsers (2020+):** Yes (Chrome, Firefox, Safari, Edge). **Old browsers:** Limited. May fall back to JavaScript (slower, less secure). **Requirement:** Web Crypto API support. --- ### Can I use this on mobile? **Web app:** Yes, works in mobile browsers (iOS Safari, Android Chrome). **Native apps:** (Future) iOS/Android apps planned. --- ### How do you prevent brute-force on memory inputs? **Techniques:** 1. **High KDF iterations:** Argon2id or PBKDF2 with high iteration count (slows down brute force) 2. **Salt:** Each user has unique salt (prevents rainbow tables) 3. **Entropy checking:** Warns user if inputs are weak 4. **Time penalty:** Optional slow-down after failed decryption attempts **User responsibility:** Choose strong, high-entropy inputs. --- ### What is "social recovery"? **Concept:** Distribute secret across M-of-N guardians (e.g., 3-of-5). **How it works:** 1. You create 5 shares 2. Give each to a trusted person (family/friends) 3. If you forget inputs, any 3 guardians can help you reconstruct key **Math:** Shamir's Secret Sharing (threshold cryptography) **See:** [Social Recovery](recovery.md) --- ## Privacy Questions ### Do you track my usage? **Analytics:** (Optional) Anonymized usage analytics for improving UX. **No tracking of:** - What data you encrypt - Your memory inputs - Your keys - Content of your files **Opt-out:** You can disable analytics. --- ### Do you sell my data? **No.** We cannot sell what we don't have. - We never see your plaintext data - We never see your keys - We never sell ciphertext (useless to buyers) --- ### Can government agencies access my data? **Warrant/subpoena to CQRIT:** We can provide encrypted data (ciphertext). We cannot provide keys (we don't have them). **Warrant to you:** If legally compelled, you may need to decrypt. Or: - Use high-threshold recovery (10-of-10) so you cannot decrypt alone - Claim Fifth Amendment (USA, self-incrimination) - varies by jurisdiction **See:** [Coercion Resistance](coercion.md) --- ### Is this GDPR compliant? **Yes.** CQRIT supports GDPR principles: - Data minimization (we store only ciphertext) - Privacy by design (client-side encryption) - Right to erasure (you can delete your data) - Data portability (you can export your encrypted data) --- ## Comparison Questions ### CQRIT vs. Signal **Signal:** Secure messaging (end-to-end encrypted chat) **CQRIT:** Secure storage (encrypt any data, not just messages) **Overlap:** Both use end-to-end encryption. But different use cases. **Can you use both?** Yes. Signal for chat, CQRIT for storage. --- ### CQRIT vs. VeraCrypt / BitLocker **VeraCrypt/BitLocker:** Full-disk encryption. Encrypts entire drive. **CQRIT:** Item-level encryption. Encrypts individual files/passwords. **Key difference:** - VeraCrypt: Keys stored encrypted on disk (must unlock with password) - CQRIT: Keys never stored (derived from memory) **Can you use both?** Yes. VeraCrypt for disk encryption, CQRIT for sensitive items. --- ### CQRIT vs. PGP / GPG **PGP/GPG:** Email encryption, file signing, asymmetric keys. **CQRIT:** Universal encryption, symmetric + post-quantum. **Key difference:** - PGP: Key files managed manually - CQRIT: Keys derived from memory (no files) **PGP is quantum-vulnerable (RSA). CQRIT is quantum-safe.** --- ### CQRIT vs. Hardware Wallets (Ledger, Trezor) **Hardware wallets:** Store crypto private keys in physical device. **CQRIT:** Store crypto private keys encrypted in software (no hardware). **Pros of hardware wallets:** - Physical device (air-gapped) - Protected from malware **Pros of CQRIT:** - No device needed (works on any device) - Quantum-safe - Multi-device without syncing hardware **Can you use both?** Yes. Hardware wallet for daily use, CQRIT for backup/cold storage. --- ### CQRIT vs. Blockchain-based storage (Filecoin, Arweave) **Blockchain storage:** Decentralized file storage. Files stored across network. **CQRIT:** Client-side encryption. Can store encrypted files to blockchain. **Combination:** Use CQRIT to encrypt, then upload ciphertext to Filecoin/Arweave. **Benefit:** Decentralized + encrypted. --- ## Pricing Questions ### How much does this cost? **Free tier:** Up to 20 items stored. All features included. **Paid tiers (storage-based):** - $4.99/mo: 100 items - $19.99/mo: 1000 items - $29.99/mo: 5000 items - $49.99/mo: 25000 items **All features included at all tiers.** You only pay for storage capacity. --- ### What happens if I exceed my tier? **Automatic upgrade:** When you reach the limit, you're automatically billed for the next tier. **No data loss:** Your data is safe. You just pay more. --- ### Can I pay with crypto? **Future feature.** Not available yet. --- ### Is there a lifetime plan? **Not currently.** Subscription model only. --- ## Usage Questions ### How do I get started? **Steps:** 1. Visit app.cqrit.com 2. Enter memory inputs (questions only you know) 3. Start encrypting data **See:** [Getting Started](getting-started.md) --- ### Can I import from 1Password / LastPass? **Future feature.** Not available yet. **Workaround:** Manually copy passwords from old manager to CQRIT. --- ### Can I use this for my team / family? **Yes.** Group encryption supported. **How:** - Each member has own account (own memory inputs) - Share encrypted data using threshold cryptography - M-of-N members can decrypt **Use case:** Family documents, team passwords, shared crypto wallet. --- ### Can I access my data on multiple devices? **Yes.** Two options: **Option 1: Cloud sync** - Data encrypted and synced to cloud - Enter same memory inputs on each device - Key regenerated, data decrypted **Option 2: Offline only** - Keep data on one device - No sync --- ### What if I lose my device? **With cloud sync:** Log in on new device with same memory inputs. Data synced back. **Without cloud sync:** Data lost (unless backed up manually). **Recommendation:** Use cloud sync for important data. --- ## Advanced Questions ### Can I run this on my own server (self-hosted)? **Yes.** Code is open-source. **Steps:** 1. Clone repository 2. Deploy to your server (Vercel, Netlify, etc.) 3. All encryption still client-side (server just serves code) --- ### Can I contribute to the code? **Yes.** Open-source on GitHub. **Ways to contribute:** - Bug reports - Feature requests - Pull requests - Security audits --- ### What is the roadmap? **Current (v1):** - Web app - Post-quantum encryption - Social recovery - Group encryption **Future (v2+):** - Mobile apps (iOS/Android) - Browser extension - Hardware security module (HSM) integration - Biometric inputs - Import from other password managers --- ### Can I use this for enterprise / business? **Yes.** Some businesses use CQRIT for: - Company secrets - Signing keys - IP protection **Enterprise features (future):** - Admin dashboard - Audit logs - Team management - SSO integration --- ### Is the code really open-source? **Yes.** GitHub: [github.com/CQRIT](https://github.com/CQRIT) (example link) **License:** (To be determined - MIT / Apache 2.0 recommended) --- ### What data do you collect? **What we collect:** - Email (for account recovery, if provided) - Encrypted data (ciphertext) **What we DO NOT collect:** - Memory inputs - Keys - Plaintext data - What you encrypt --- ### Can I use this for illegal purposes? **No.** Terms of Service prohibit illegal use. **CQRIT is designed for self-defense (privacy, anti-kidnapping), not for hiding crimes.** --- ### What if I want to delete my account? **Process:** 1. Log in 2. Settings → Delete Account 3. All data permanently deleted **Note:** Cannot be undone. Backup data first. --- ## Troubleshooting ### Why can't I decrypt my data? **Common causes:** 1. Wrong memory inputs (typo, case-sensitive) 2. Browser cleared IndexedDB (data lost) 3. Different salt on different device **Solutions:** - Try variations of memory inputs - Use social recovery (if configured) - Contact support --- ### Why is encryption slow? **Possible causes:** 1. Old browser (no WebAssembly support, falls back to JavaScript) 2. Large file 3. Low device performance **Solutions:** - Update browser - Use desktop instead of mobile - Upgrade device --- ### Why doesn't this work offline? **It should.** If it doesn't: 1. Check if service worker enabled 2. Check if data cached 3. Check browser compatibility --- ### Why do I see "Insufficient shares" error? **Cause:** Trying to recover with fewer than M guardians. **Example:** Setup was 3-of-5, but you only have 2 shares. **Solution:** Get at least 3 guardians to provide shares. --- ## Contact ### How do I report a security issue? **Email:** security@cqrit.com **PGP key:** (Provide PGP public key for encrypted reports) **Bounty:** (If bug bounty program exists) --- ### How do I get support? **Options:** - Email: support@cqrit.com - Discord: (Link if exists) - GitHub Issues: (For bug reports) --- **Read more:** - [Getting Started](getting-started.md) - [Architecture](architecture.md) - [Cryptography](crypto.md) - [Key Management](key-management.md) - [Social Recovery](recovery.md) - [Coercion Resistance](coercion.md) - [Threat Model](threat-model.md)