John Carvalho's own manifesto states: "Master keys are kept in cold storage, and ...

Why Nostr? What is Njump? Join Nostr

jaredlogan / Jared Logan

npub19y…v322j

2026-06-01 20:28:18 UTC

in reply to nevent1q…9re7

John Carvalho's own manifesto states:

"Master keys are kept in cold storage, and access is delegated through revokable homeserver sessions, minimizing exposure and maximizing security."

https://medium.com/pubky/pubky-the-next-web-3287b35408f1

Let's look at what the code actually does.

The master key (secretKey + mnemonic) correctly goes to the OS Keychain. That part is true.

But session tokens (the credentials that grant active access to your homeserver) tell a different story.

https://github.com/pubky/pubky-ring/blob/main/src/store/mmkv-storage.ts

line 4:

const storage = createMMKV();
No encryption key. Unencrypted storage.
https://github.com/pubky/pubky-ring/blob/main/src/store/index.ts

line 45:

whitelist: ['pubky', 'settings'],
The pubky slice (which contains your sessions) is persisted to that unencrypted MMKV store.

https://github.com/pubky/pubky-ring/blob/main/src/store/slices/pubkysSlice.ts

lines 73-84:

addSession: (state, action) => {
state.pubkys[pubky].sessions.push({
...session, created_at: Date.now()
});
}

session_secret pushed directly into the unencrypted Redux store.

Your master key is safe. Your session tokens (the active credentials that authenticate you to your homeserver) sit in plain unencrypted storage on your device.

The migration file makes it explicit — this isn't an oversight. Migration version 6 deliberately migrates session_secret into persisted storage:

https://github.com/pubky/pubky-ring/blob/main/src/store/migrations/index.ts

lines 81-90:

// Add session_secret to all existing sessions
sessions: pubky.sessions.map((session) => ({
...session,
session_secret: '',
}))

"Master keys are kept in cold storage, and access is delegated through revokable homeserver sessions, minimizing exposure and maximizing security." Right. Sure bitcoinerrorlog (npub13nd…0svh)

Nostr doesn't have a session token layer to compromise. Your key signs events directly, via NIP-07 extensions or NIP-46 bunkers (how you *should be* using nostr) that never expose it to apps at all. Pubky adds a session delegation layer to protect the master key (a reasonable idea) but then stored those session tokens unencrypted. The mitigation introduces the vulnerability.

Author Public Key

npub19yw8tkfh530kdgfqn782vcga7azgckdn2fjjp3nv5txu6dl3h7lqhv322j

Seen on

wss://nostr.wine

Show more details

Published at

2026-06-01 20:28:18 UTC

Kind type

1 Short Text Note

Event JSON

{ "id": "e5848a8fb6b2ae08858b1aa7feea0db04e1093a38a9c2d977e177e691033c962", "pubkey": "291c75d937a45f66a1209f8ea6611df7448c59b3526520c66ca2cdcd37f1bfbe", "created_at": 1780345698, "kind": 1, "tags": [ [ "p", "8cda1daafb2df8daf4500533cba69b645afa0caf7136e341be1b66a2e9e5bdd8" ], [ "e", "ed48c94ccc5c4730e338204d542e00f1016e63b66a2365d740395ae55b92aaaf", "wss://relay.ditto.pub/", "root", "291c75d937a45f66a1209f8ea6611df7448c59b3526520c66ca2cdcd37f1bfbe" ], [ "imeta", "url https://media.tenor.com/BHyTSZGUEBAAAAAC/cowboy-gun.gif", "m image/gif" ], [ "client", "Ditto", "31990:781a1527055f74c1f70230f10384609b34548f8ab6a0a6caa74025827f9fdae5:ditto" ] ], "content": "John Carvalho's own manifesto states:\n\n\"Master keys are kept in cold storage, and access is delegated through revokable homeserver sessions, minimizing exposure and maximizing security.\"\n\nhttps://medium.com/pubky/pubky-the-next-web-3287b35408f1\n\nLet's look at what the code actually does.\n\nThe master key (secretKey + mnemonic) correctly goes to the OS Keychain. That part is true.\n\nBut session tokens (the credentials that grant active access to your homeserver) tell a different story.\n\nhttps://github.com/pubky/pubky-ring/blob/main/src/store/mmkv-storage.ts\n\nline 4:\n\nconst storage = createMMKV();\nNo encryption key. Unencrypted storage.\nhttps://github.com/pubky/pubky-ring/blob/main/src/store/index.ts\n\nline 45:\n\nwhitelist: ['pubky', 'settings'],\nThe pubky slice (which contains your sessions) is persisted to that unencrypted MMKV store.\n\nhttps://github.com/pubky/pubky-ring/blob/main/src/store/slices/pubkysSlice.ts\n\nlines 73-84:\n\naddSession: (state, action) =\u003e {\n state.pubkys[pubky].sessions.push({\n ...session, created_at: Date.now()\n });\n}\n\nsession_secret pushed directly into the unencrypted Redux store.\n\nYour master key is safe. Your session tokens (the active credentials that authenticate you to your homeserver) sit in plain unencrypted storage on your device.\n\nThe migration file makes it explicit — this isn't an oversight. Migration version 6 deliberately migrates session_secret into persisted storage:\n\nhttps://github.com/pubky/pubky-ring/blob/main/src/store/migrations/index.ts\n\nlines 81-90:\n\n// Add session_secret to all existing sessions\nsessions: pubky.sessions.map((session) =\u003e ({\n ...session,\n session_secret: '',\n}))\n\n\"Master keys are kept in cold storage, and access is delegated through revokable homeserver sessions, minimizing exposure and maximizing security.\" Right. Sure nostr:npub13ndpm2hm9hud4azsq5euhf5mv3d05r90wymwxsd7rdn29609hhvqp60svh \n\nhttps://media.tenor.com/BHyTSZGUEBAAAAAC/cowboy-gun.gif\n\nNostr doesn't have a session token layer to compromise. Your key signs events directly, via NIP-07 extensions or NIP-46 bunkers (how you *should be* using nostr) that never expose it to apps at all. Pubky adds a session delegation layer to protect the master key (a reasonable idea) but then stored those session tokens unencrypted. The mitigation introduces the vulnerability.", "sig": "8f9013c16d90f044d2639525ce54c4d545071d8e4588439096e82cd13e9cd387be629294c5af8ffa0d0f08f546756389260eff10568c9ec490e8ecce939dbf92" }