What is Zero-Knowledge encryption?

Zero-knowledge encryption guarantees your data is encrypted directly inside your local browser's memory before any network transmission occurs. You hold the unique key locally; StealthRelay servers never see, store, or possess the capability to decrypt your secure payloads.

How does local metadata bleaching protect shared files?

When files or photos are selected for secure sharing, our client-side software redrafts canvas details in active memory to permanently sanitize embedded EXIF GPS tags, camera models, and identifying parameters before the cryptographic seal is finalized.

StealthRelay | Zero-Trust Ephemeral Sharing & Encrypted Email Relay

INTRODUCTION: THE FRAGILITY OF CENTRALIZED LOCKERS

The modern cloud storage industry has sold users a dangerous illusion of security. They offer "encrypted vaults" and "secure folders" that claim to guard your most sensitive personal and corporate files. However, when you look closely at their system architecture, a glaring flaw is revealed: centralization. Almost all major cloud providers—such as Google Drive, Microsoft OneDrive, and Dropbox—hold the master cryptographic keys to the vaults they maintain.

This centralized structure means that your data is never truly yours. Because the provider holds the keys, they can decrypt your files at any moment without your knowledge or consent. This presents an enormous breach vector. If a government agency serves the provider with a secret subpoena or national security letter, the provider can be legally compelled to decrypt and hand over your private files. Furthermore, if a corrupt employee, a rogue insider, or an external hacker gains administrative access to the cloud infrastructure, your encrypted files can be decrypted and stolen.

In a zero-trust world, this is completely unacceptable. Storage must be transient by mandate and immutable by mechanism. To achieve absolute digital immunity, we must build a system where the physical cloud provider has zero knowledge of the keys, zero ability to access the contents, and zero capability to reconstruct a file even if their entire database is compromised. We must establish the first truly Immutable Vault.

THE ZERO-KNOWLEDGE CRYPTOGRAPHIC MATRIX

The foundation of the Stealth Vault is client-side, zero-knowledge encryption. "Zero-knowledge" is not just a marketing term; it is a rigid, mathematical architecture where the server has absolutely zero visibility into the cryptographic parameters used to seal the data.

When you select a file to store in your Stealth Vault, the following cryptographic matrix is executed locally on your device using the browser's Web Crypto API:

1. **High-Entropy Key Derivation**: If you protect your vault with a custom password, our engine uses the PBKDF2 (Password-Based Key Derivation Function 2) standard combined with a unique, high-entropy salt and 100,000 hashing iterations of SHA-256 to derive a 256-bit AES master key.

2. **Galois/Counter Mode (AES-GCM)**: The derived key is used to encrypt the file bytes using AES-GCM. This standard is selected because it provides both high-speed encryption and authenticated integrity checks (AEAD). The encryption process generates a 12-byte initialization vector (IV) and a 16-byte authentication tag alongside the ciphertext.

3. **Ephemeral Key Shredding**: If you choose not to use a custom password, the system generates a random, cryptographically secure 256-bit key. This key is embedded in the URL anchor fragment (`#key=...`). Since browsers never transmit the anchor fragment to the server during HTTP requests, the key remains entirely local to your device's memory.

Because this entire process happens in your local RAM, the only data that travels across the network is the raw, encrypted ciphertext, the IV, and the authentication tag. The server never sees your raw file, your password, or your decryption keys.

THE PARADIGM OF FRAGMENTED STORAGE

Even with robust client-side encryption, uploading a monolithic encrypted file to a single centralized server creates a risk of denial-of-service, tracking, and localized physical seizure. To mitigate this risk, StealthVault leverages a decentralized paradigm known as Fragmented Storage.

When your encrypted file reaches our edge network, it is not written to a single hard drive or database. Instead, the ingest server executes a localized chunk fragmentation protocol:

1. **File Splitting**: The encrypted payload is split into multiple independent, high-entropy data chunks.

2. **Cryptographic Sharding**: The chunks are distributed across geographically isolated storage locations (Cloudflare R2 buckets situated in distinct international jurisdictions).

3. **Decoupled Ledgers**: The mapping registry that tracks which chunks belong to which file is stored in a separate, encrypted SQLite (D1) database ledger. The database records do not contain filenames, folder structures, or file sizes in plaintext. They only contain non-linked, salt-derived hashes.

An adversary attempting to intercept your data by breaching a single data center would find only useless, fragmented chunks of encrypted bytes. They would have no way of knowing what file those chunks belonged to, how to reconstruct them, or how to decrypt them. To reconstitute the file, an attacker would need to simultaneously compromise multiple independent international storage buckets, breach the decoupled ledger, and somehow acquire your local, client-side decryption key. This makes physical seizure and unauthorized access practically impossible.

THE THREAT MODELING AND FORENSIC COUNTERMEASURES

To maintain the immutability of the vault, we continually perform rigorous threat modeling and apply advanced forensic countermeasures to defeat potential attack vectors.

- **Defeating Insider Threats**: Because the cryptographic keys are derived and maintained strictly on the client side, no rogue employee or system administrator at StealthRelay can access your files. Even if they had direct, physical root access to our servers and databases, all they would see is unreadable ciphertext chunks.

- **Blocking Key-Logger Attacks**: We implement strict Content Security Policies (CSP) that prevent external scripts, extensions, or trackers from running on the vault interface, shielding your passwords from browser-level key-loggers.

- **Mitigating Traffic Analysis**: To prevent external observers from guessing what type of files you are storing based on upload sizes, the uploader automatically appends random noise padding to the ciphertext, standardizing the network packet footprint.

- **Enforcing Token Rotation**: All temporary access sessions to our D1 ledger require short-lived, cryptographically signed tokens that expire and rotate automatically every 15 minutes, neutralizing the risk of session hijacking.

CONCLUSION: SECURING YOUR IMMUNITY

Your files represent your thoughts, your business, and your life. Entrusting them to a centralized cloud provider is an unacceptable compromise of your basic privacy. StealthRelay's Immutable Vault combines mathematically unbreakable zero-knowledge client-side encryption with decentralized storage fragmentation to create a digital sanctuary that is completely impervious to external hackers, state-sponsored actors, and cloud platform compromises. Reclaim your digital immunity, sever the links of surveillance, and establish your vault today.

Establishing the First Immutable Vault