Protocol / Encryption

Encryption

At-rest column encryption, user-bound encryption networks, and threshold decryption.

Encryption

At-rest column encryption, user-bound encryption networks, and threshold decryption.

Concepts

  • Encryption Overview — How at-rest encryption, encryption networks, and threshold decryption fit together.
  • At-Rest Encryption — AES-256-GCM column encryption (0x01||nonce||ct) with legacy-plaintext passthrough.
  • Encryption Networks — X25519 envelopes; client encrypts locally; node unwraps/rewraps via LocalOneOfOneBackend (n=1,t=1).
  • User-Bound Decryption — Decrypt as a capability-gated native invocation against node + networkId; node never sees plaintext.
  • Threshold Decryption — Delegatable ferveo-based threshold decryption; KeyBackendKind::Threshold slot reserved, not implemented in v1.