FishEncrypt

FishEncrypt protects digital identity with live fish-tank randomness, your secrets stay encrypted even if storage is compromised.

Comment

Inspiration

I saw an Instagram reel a few weeks ago that called fish “the most useless pets.” As a fish owner, they’re probably right, but I decided I would dedicate my UofTHacks submission to proving they’re not as useless as people think. I’ve done a lot of previous work in cybersecurity, so I wanted to focus on that again this time, but make it creative.

I took inspiration from Cloudflare’s lava lamp wall, which uses the randomness of bubbles and fluid motion inside lava lamps to generate unpredictable entropy for security systems. If bubbles are random, then my fish swimming patterns are even more unpredictable, so I built a project where my fish tank becomes a real-world source of live randomness to protect identity-related secrets.

What it does

FishVault is a secrets manager designed to protect the most important pieces of your digital identity. Things like API keys, passwords, access tokens, and sensitive notes.

What makes it unique is that the vault is protected by a Fish KMS (Key Management Service) that uses live data from my fish tank as a security gate. Even if an attacker were to access the database, all they would see is encrypted ciphertext because decryption requires the Fish KMS to be live and available.

In short: your identity stays safe because the encryption keys aren’t stored where attackers expect them to be.

How we built it

FishVault is split into two main systems:

Secrets Manager Web App (Next.js + Supabase)

  • Built a clean UI where users can save and view secrets
  • Secrets are never stored in plaintext
  • Supabase stores: Users, Encrypted Secrets, Session State

FishEncrypt (It's supposed to sound like Fish N Chips) (Python + FastAPI)

  • Centralized encryption authority
  • Generates a live unlock signal using fish tank entropy
  • Handles encryption/decryption requests from the backend
  • Cleint never receives or sends any encryption keys
  • Only backend can communicated with Fish KMS using an API

Encryption Flow:

  1. When the vault is intialized, FishVault creates a random Master Key. This key is what actually encrypts all secrets using AES-GCM
  2. The Master Key is protected behind FishEncrypt. When a user wants to access the vault, the backend asks the FishEncrypt to generate a key based on fish location, speed, and other random noise within the tank
  3. Once completed, FishVault opens a short unlock window. During this window, the backend is allowed to use the Master Key to encrypt/decrypt secrets without repeatedly prompting the user
  4. When a user saves a secret, the backend uses the Master Key to encrypt it, and only stores ciphertext in the database, NEVER plaintext
  5. Decrypting secrets: When a user views a secret, the backend again uses the Master Key to decrypt the ciphertext, but only if the vault is currently unlocked and the user is authorized.
  6. If an attacker steals the database, they only get encrypted ciphertext. Without access to the Master Key (which is gated by the FishEncrypt), the secrets remain unreadable, protecting identity credentials even under worst-case assumptions.

Challenges we ran into

  • Entropy Reliability: Fish aren't always moving consistently, especially if they're inactive or the tank is calm, so I had to include other noise in the system so that we constantly had changing in keys

  • I wanted it to feel like a real product, but still keep it lightweight and demo-friendly

Accomplishments that we're proud of

  • Built a working end-to-end secrets manager where encryption protects data, not just UI

  • Successfully integrated a real-world entropy source into a system

What we learned

  • Identity security is not just about hiding stuff, but also where these stuff are hidden and who can access them

  • A database leak doesn't have to be catastrophic if you separate encrypted data from the encryption authority

  • FishVault was built to be a playful but serious reminder that identity is defined by secrets, and protecting those secrets is protecting the person behind them.

What's next for FishVault

  • The major part of this project is the encryption scheme, realistically this can way beyond a simple secretes manager, maybe a messaging system, I could allow people to share secrets with each other, there's so much to build off of from.

Built With

Share this project:

Updates