A read only, mobile friendly reference for the operational configuration of an A320 family fleet. The data is encrypted and signed, so the repository can stay public while the fleet stays private. Only someone with the fleet password can read it, and only the owner can produce a valid update.
Live app: https://bbjcaptain.github.io/fleet-config/
Repository: https://github.com/BBJcaptain/fleet-config
Public, safe to publish:
index.html— the app users open. Self contained, read only, holds no fleet data. Contains the ECDSA public key used to verify data authorship.collector.html— keyless, offline field-collector page (holds no key and no fleet data; safe to publish). Used to jot an aircraft's config in the air.fleet-config.enc— the encrypted, signed fleet database (ciphertext).UI/— static assets:UI/icon.png— favicon and Home Screen icon.UI/carbon.png— background texture used in the header and footer.
README.md— this file.
Never commit (owner only, private):
editor.html— the editor. It contains the ECDSA private signing key and can produce valid data. Treat it like a secret.fleet-config.json— the plaintext fleet.
The owner edits the fleet on their own machine in editor.html, which encrypts
and signs it with a password, and commits the encrypted file. Every time a
user opens the app it downloads fleet-config.enc over HTTPS, asks once for the
password, decrypts it in the browser, and verifies the signature. If GitHub is
unreachable it shows the last cached copy and states the date the data was last
updated. The app auto locks after 15 minutes of inactivity.
The design assumes the file is public and hostile eyes will see it. Protection is built in layers.
-
Confidentiality (encryption at rest and in transit). The fleet is sealed with AES-256 in GCM mode. The key is derived from the password with PBKDF2-HMAC-SHA256 at 600,000 iterations and a random salt (OWASP 2023 guidance), which makes password guessing slow and costly. The repository, the GitHub CDN, and the device's offline cache hold only ciphertext. In transit it is fetched over HTTPS (TLS), so it is double wrapped. Plaintext exists only in the browser's memory after you enter the password; it is never written to disk or uploaded. The app also rejects any file whose KDF is weaker than 600,000 iterations, so a downgraded envelope cannot lower the cost of guessing.
-
Authenticity (signed data). The plaintext is signed with an ECDSA P-256 private key held only in
editor.html. The app carries the matching public key and verifies every file it loads. If the signature is missing or invalid, the app fails closed: it refuses to display the data — a file with no signature is rejected, never trusted. This means even someone who learned the password cannot substitute their own file, and any tampering is caught. GCM already detects corruption; the signature proves the data came from the owner. -
Integrity fingerprint. A SHA-256 fingerprint of the loaded data is shown in the disclaimer, so two people can confirm in one glance they are on the same release.
-
Session control (session only password). The password is never written to the device. It is held in memory for the session only, so the user enters it once each time the app is opened fresh. Tapping Lock, or the 15 minute inactivity auto lock, clears the password from memory. The encrypted offline copy (ciphertext only) is deliberately kept, so the app still opens without a connection — for example in flight — once the password is re-entered. Nothing readable is stored on the device: the cache cannot be opened without the password.
-
Guess resistance. After repeated wrong passwords the app adds an increasing delay before the next attempt (up to 30 seconds), raising the cost of brute force on top of the slow KDF.
-
Reduced attack surface. A strict Content Security Policy with no
unsafe-inline(inline script and style are pinned by SHA-256 hash) blocks injected code. The app talks only to itself and to the encrypted data file onraw.githubusercontent.com, nothing else. Data is rendered withtextContentonly, neverinnerHTML. There are no accounts, no analytics, and no tracking.
Honest limits. There is no such thing as 100% security. One shared password
means it is only as strong as the least careful holder, and there is no per user
revocation, to lock one person out you change the password, re-encrypt, and
everyone re-enters it. Anyone trusted with the password can still copy the data.
This protects against outsiders and the public, not against an authorised user
who chooses to leak. Keep editor.html private; it holds the signing key.
Open the private editor.html (over http://localhost or in Safari/Firefox;
Chrome blocks crypto on a plain local file). Enter the fleet password.
- Start from the current data: Load .enc, choose
fleet-config.enc; it decrypts into the form. Or edit the pre loaded template. - Edit with the dropdowns. Every field is a controlled dropdown or a text box
with suggestions, which keeps all cards aligned and consistent. The editor is
a responsive two-column form that works on iPhone and iPad as well as desktop.
- Add your own dropdown value: choose
--- New Option ---, type it, and it is remembered on that device for next time. - First Flight uses a date picker; dates are stored and shown as
dd-mm-yyyy. - + Add new Aircraft creates a card with every field set to
—, so you can see exactly what still needs verifying. - Duplicate / Delete per aircraft.
- Add your own dropdown value: choose
- Set updated = today and bump the Data version.
- Encrypt & download .enc (this also signs the data), then commit the new
fleet-config.encto the repo root onmain. Users get it on next launch or by tapping Verify.
Changing the password: encrypt with a new one and tell your users; every device
re-enters it once. Rotating the signing key is rare; if you ever do, update the
SIGN_PUB constant in index.html to match.
Identification: Registration, Model, MSN, First Flight (dd-mm-yyyy), First Owner.
Performance: MLW (T), T/O Tailwind limit (kts), LDG Tailwind limit (kts), Narrow RWY (Approved / Not Approved), SE Taxi w/o APU (Allowed / Not Allowed), Max autoland ALT (ft), Noise Certification (Chapter 14 / Chapter 4 / Other).
Equipment: BRK FAN, Sharklets (Installed / Not Installed), Engines, Cargo heat, Headset Plug, ACARS (Spectralux / Standard), INIT* FLT PL Retrieval (Available / N/A / Partially Available), ADIRU, WX RDR, HF Radio, CPDLC (Installed / N/A).
Remarks: free text.
In the app, yes/no fields display as coloured text: green for the positive value (Installed, Approved, Allowed) and red for the negative.
Some fields show a small i you can tap for a short explanatory note. For example, Engines explains the difference in warm-up and cool-down times between the fitted engine types. Tap the i again, or anywhere else, to close it. Ask the maintainer to add notes to other fields as needed.
Do steps 1 to 3 once; after that the app is an icon on your Home Screen.
- On your phone, open the link in Safari (iPhone) or Chrome (Android):
https://bbjcaptain.github.io/fleet-config/ - Add it to your Home Screen (iPhone: Share → Add to Home Screen; Android: menu → Add to Home screen).
- Open it from the icon, accept the disclaimer, and enter the fleet password your admin gave you. The password is kept for the session only, so you enter it again each time you open the app fresh (and after Lock or 15 minutes idle).
Day to day: the top-right shows an ENCRYPTED badge and a live status dot (hover or tap for detail); the footer shows "Up to date" with the data version, or, offline, the date the data was last updated. Use the aircraft selector to switch airframes, and tap a field's i for a note where present. About explains the app and its security; Verify forces an update check; Feedback emails the maintainer; Disclaimer shows the full notice; the lock icon forgets the password (the encrypted offline copy is kept, so the app still opens without a connection once you re-enter the password). The layout is optimised for iPhone in portrait and adapts to a wider, roomier layout on iPad.
- App version: the software (
index.html), shown on the About page. Bumps by 0.1 on every change. - Data version: the fleet database (
meta.version), bumped by the admin when publishing. Shown in the footer and the disclaimer, with the SHA-256 fingerprint. Dates are shown in dd-mm-yyyy format throughout.
- Signatures are now mandatory. A loaded file with no signature fails closed
and is refused (previously a missing signature silently skipped the check).
Files must be produced by
editor.html, which always signs, so real releases are unaffected. - KDF downgrade protection. The app rejects any envelope that specifies fewer than 600,000 PBKDF2 iterations, and no longer falls back to a weaker default.
- Works offline after Lock. Lock and the 15 minute auto lock now forget only the password; the encrypted (ciphertext-only) offline copy is kept, so the app still opens without a connection — e.g. in flight — once you re-enter the password. Previously the cache was wiped on lock, which left the app unusable offline.
Dark navy palette with a light blue accent and carbon texture, inspired by the Airbus NOVA style: white section headings with a short accent bar, an accent bar under each aircraft registration, a slim textured hero band, chevron footer buttons, and an elegant gradient registration typeface. Designed phone-first for iPhone in portrait, and fully responsive to iPad and desktop.
Because the CSP pins inline script and style by SHA-256 hash, if you edit any
inline <script> or <style> in index.html you must recompute those hashes
and update the Content-Security-Policy meta tag, otherwise the browser will
block the app.
This tool is an unofficial reference and training aid only. Company documentation and Airbus manuals always prevail. See the in app disclaimer.