Reference architecture
Security Architecture
Read this if you want to understand exactly how a DRIVUNO file moves from your screen to encrypted storage — and back — without our servers ever holding a usable key.
The trust boundary
Everything sensitive happens on one side of a clear line: your device. The server holds ciphertext and routing metadata, and nothing else useful to an attacker.
Inside the boundary
Your device only
- • Your password (entered, never transmitted)
- • Argon2id master key derivation
- • Per-file XChaCha20-Poly1305 keys
- • X25519 share key pairs (private half)
- • Recovery Key (you write it down)
Outside the boundary
What the server holds
- • Encrypted file blobs (opaque ciphertext)
- • Sealed key envelopes (encrypted with your public key)
- • Routing metadata: owner ID, parent ID, size
- • Operational logs (no content, audit-only)
- • Account record (email, settings, hashed identifiers)
1 · Upload flow
From file picker to encrypted storage
- 1You unlock your vault. Your password is run through Argon2id on your device to derive a master key. The password and master key never leave the browser tab.
- 2For each file, the browser generates a fresh random 256-bit file key.
- 3The browser encrypts the file with XChaCha20-Poly1305 using that file key. The output is opaque ciphertext plus an authentication tag.
- 4The file key is sealed against your account's public key (X25519 + libsodium sealed box). Only your master key can unwrap it.
- 5The browser uploads the ciphertext, the sealed envelope, and minimal routing metadata. The server stores all three but never holds a usable key.
- 6On download, the browser fetches the ciphertext and the sealed envelope, unwraps the file key locally, verifies the ciphertext SHA-256 hash, and decrypts in memory.
2 · Sharing flow
Zero-knowledge public share links
- 1You generate a share. The browser creates an ephemeral X25519 key pair specifically for this share.
- 2The file key is sealed against the share's public key. The sealed envelope is stored on the server.
- 3The share's private key is base64-encoded and placed in the URL fragment (after #). Browsers never transmit URL fragments to servers.
- 4You copy/paste the link. The recipient opens it; their browser reads the private key from the fragment locally.
- 5The recipient's browser fetches the ciphertext + sealed envelope, unwraps the file key with the fragment-private-key, verifies the hash, and decrypts.
- 6Optional layers (password, expiration, one-time view, watermark) are enforced server-side and within the receiver UI.
3 · Recovery flow
Account recovery without escrow
- 1When you create your vault, your master key is wrapped against multiple factors: your password (always), and any factor you opt in to — Recovery Key, secondary email, SMS.
- 2Each factor produces an independent sealed envelope. The server stores envelopes; it cannot unwrap any of them without the factor itself.
- 3If you lose your password, you provide a recovery factor in the browser. The browser unwraps the master key locally and prompts you to set a new password (which produces a new envelope).
- 4If you lose every factor, the master key is unrecoverable — by design. DRIVUNO has no backdoor.
4 · What the server can and cannot do
The server can
- • Store and serve opaque encrypted blobs
- • Enforce access control via Row-Level Security
- • Log security events (logins, shares, deletions)
- • Rate-limit and detect abusive patterns
- • Apply expiration, one-time access, and password gates on shares
The server cannot
- • Read the contents of your files
- • Read file names (encrypted client-side)
- • Derive your password or master key
- • Decrypt shares (the key lives in the URL fragment)
- • Reset your password into a usable state
Primitives used
- Argon2id — password-based key derivation, tuned per-device.
- XChaCha20-Poly1305 — authenticated encryption of file content.
- X25519 — elliptic-curve key agreement for sealing keys to recipients.
- Ed25519 — signing manifests for shares and protected messages.
- HKDF-SHA-256 — subkey derivation for per-purpose keys.
- SHA-256 — ciphertext integrity hashes (verify-before-decrypt).
- HMAC-SHA-256 — blind-index search tags for mailbox subjects.
Full cryptographic rationale lives in the whitepaper. For what falls outside this architecture, see the threat model.