mydatapass-verify
Independently verify a MyDataPass export — without trusting us.
MyDataPass delivers customer data offboarding exports as encrypted, audit-logged packages. This repository contains everything a recipient (or their security team) needs to decrypt and verify an export with zero MyDataPass involvement: the package format specification and two standalone verifiers.
Why this repo exists
Our security model does not rely on secrecy of the format — it relies on the strength of the passphrase and standard, auditable cryptography. Publishing the format and the verification tooling means:
- Your security team can review exactly how packages are encrypted before signing anything.
- Recipients can decrypt and verify integrity offline, with no DataPass servers involved.
- If DataPass disappeared tomorrow, every delivered package would remain fully recoverable with the passphrase and this tooling.
What's in an export package
A MyDataPass package is a JSON file with four fields:
| Field | Description |
|---|---|
ciphertext_b64 | AES-256-GCM ciphertext, Base64 |
iv_b64 | 12-byte random nonce, Base64 |
salt_b64 | 16-byte random KDF salt, Base64 |
hash_sha256 | SHA-256 hex digest of the original plaintext |
Encryption: AES-256-GCM. Key derivation: PBKDF2-HMAC-SHA256, 310,000 iterations, 32-byte key. Full details in docs/export-format.md.
Verify an export
Option A — browser, fully offline
Open verify.html in any modern browser (works from file://, no network requests are made). Select the package file, enter the passphrase, and the page decrypts via WebCrypto and checks the SHA-256 digest locally.
Option B — command line
Requires Python 3.9+ and the cryptography package:
pip install cryptography
python verify.py package.json --out exported-data.bin
The script prompts for the passphrase, decrypts, and confirms the plaintext digest matches hash_sha256. Exit code 0 means the package is authentic and intact; any tampering with the ciphertext fails GCM authentication.
What this repo is NOT
This is not the MyDataPass product source code. It is the public, auditable surface: the delivery format, the verification tooling, and our security model. Questions or responsible disclosure: silvia@mydatapass.pro.
License
MIT — see LICENSE.