From 433b76d7e1533416b612b6651100a524abe60900 Mon Sep 17 00:00:00 2001
From: Chris Duncan <chris@zoso.dev>
Date: Fri, 8 Aug 2025 11:41:47 -0700
Subject: [PATCH] Restrict iv to 96 bits per GCM best practice.

---
 src/lib/safe.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/lib/safe.ts b/src/lib/safe.ts
index a1ef851..147a50f 100644
--- a/src/lib/safe.ts
+++ b/src/lib/safe.ts
@@ -356,7 +356,9 @@ export class Safe {
 			seed: bytes.toHex(new Uint8Array(this.#seed))
 		}
 		if (this.#mnemonic != null) data.mnemonic = this.#mnemonic
-		const iv = crypto.getRandomValues(new Uint8Array(32)).buffer
+
+		// restrict iv to 96 bits per GCM best practice
+		const iv = crypto.getRandomValues(new Uint8Array(12)).buffer
 		const encoded = utf8.toBytes(JSON.stringify(data))
 		const encrypted = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, encoded)
 		return { iv, encrypted }
-- 
2.47.3