Plaintext, RP ID, and at least one credential with PRF output.
ArrayBuffer containing the complete .lve binary.
LvePrfNotSupportedError if credentials is empty or a PRF output
is not exactly 32 bytes.
const authResult = await authenticateWithPrf({ rpId, fileId });
const lveBytes = await createLveFile({
plaintext: new TextEncoder().encode("secret"),
rpId: window.location.hostname,
fileId: authResult.fileId,
credentials: [{ credentialId: authResult.credentialId, prfOutput: authResult.prfOutput }],
});
Encrypts data and produces a
.lvebinary container.Generates a random DEK (AES-256-GCM), derives a KEK for each credential via HKDF-SHA-256 over the PRF output, wraps the DEK with AES-KW per recipient, and stores everything in the
.lveheader alongside the AES-GCM ciphertext.