DataHandler.DeviceIdentifier

DeviceIdentifier Class

Derives a cryptographically strong, user-bound master key from a user identifier string (e.g. username or account ID). Uses PBKDF2-HMAC-SHA512 with a fixed public salt and 600,000 iterations.

This key is consistent across devices for the same user — enabling secure vault portability while remaining resistant to brute-force attacks.

Note: This is not hardware-bound. The same user ID on any device produces the same master key.

Methods

GetUserBoundMasterSecret(string xruiosUserId)

Derively generates a 256-bit master encryption key from the provided user identifier.

  • Parameters:
    • xruiosUserId: A stable, unique identifier for the user (e.g. "alice@xr.com", "user-123"). Case-insensitive and trimmed.
  • Returns: SecureData — A zeroable 256-bit key derived via PBKDF2-SHA512 (600k iterations)
  • Security: ~200–400 ms derivation time on modern hardware. Resistant to offline attacks even if vault is stolen.
  • Portability: Identical user ID → identical key on any supported platform (Windows, Linux, macOS, Android, Quest).

Caches result for performance after first call in the current process.

(Internal) DeriveSecretFromMasterPassword(string password)

Performs the actual PBKDF2 key derivation with fixed public salt "XRUIOS-Vault-2025-v1".