> CIPHERBOX

Privacy-first encrypted cloud storage
with decentralized persistence

Client-side encryption. Zero-knowledge server. Your keys, your data.

Launch App View on GitHub

Encryption Flow

Every file is encrypted client-side before leaving your device. Each file gets a unique random key.

01 Generate unique fileKey (32 bytes) + IV (12 bytes) per file

02 AES-256-GCM encrypt with authentication tag for tamper detection

03 ECIES-wrap the fileKey with your secp256k1 public key

04 Upload encrypted blob to IPFS, publish signed IPNS record

Decryption Flow

All decryption happens in your browser. Streaming media uses AES-256-CTR for seekable playback without downloading the entire file.

01 Resolve IPNS name to latest IPFS CID via signed Ed25519 record

02 ECIES-unwrap the fileKey using your private key (RAM only)

03 AES-256-GCM decrypt and verify authentication tag integrity

04 // streaming AES-256-CTR enables random-access byte range decryption

Key Hierarchy

Keys are either randomly generated or deterministically derived via HKDF-SHA256. Compromising one file key reveals nothing about other files.

Interactive Vault Explorer

Explore how CipherBox encrypts data layer by layer. Click through IPNS names, fetch encrypted blobs, and decrypt each layer to reveal the plaintext underneath.

Security Features

🛡

Zero-Knowledge Server

The server never sees plaintext data, file names, folder structure, timestamps, or encryption keys. It operates purely as an encrypted relay.

🔒

Hardware TEE Republishing

IPNS records refreshed every 6 hours via Phala Cloud hardware enclaves. Keys decrypted only inside TEE, then immediately zeroed.

🔑

MPC Authentication

Web3Auth distributes key shares across network nodes. No single party ever holds the complete private key. Device factor + recovery phrase.

📱

Multi-Device Sync

Sequence-number based conflict resolution with ~30 second polling. Same keypair derived on every device via Web3Auth.

💾

Self-Sovereign Recovery

BIP39 recovery phrase + vault export. Recover your entire vault independently using only your private key and any IPFS gateway.

🧅

Layered Encryption

Per-file random AES keys, ECIES key wrapping, per-folder keys, authentication tags. Multiple layers must be broken to access any file.

Privacy Model

With full access to IPFS and the CipherBox server but without your private key:

🔒 Server Never Sees

x File contents
x File names
x Folder names
x Folder structure
x Timestamps (creation, modification)
x Encryption keys
x IPNS private keys
x Plaintext file sizes
x File-to-folder relationships

👁 What Is Visible

> IPFS CIDs (content-addressed hashes)
> IPNS names (public identifiers)
> Encrypted blob sizes
> Encryption IVs (not secret)
> User public key (secp256k1)
> Device IDs and approval status
> IPNS update frequency (usage patterns)

Tech Stack

Frontend // React 18 + TypeScript + Vite

Backend // Node.js + NestJS + TypeScript

Database // PostgreSQL 16

Job Queue // BullMQ + Redis

Auth // Web3Auth MPC Core Kit

Storage // IPFS via Kubo

Desktop // Tauri v2 + FUSE / WinFsp

TEE // Phala Cloud CVM

Crypto // Web Crypto API + eciesjs

Monitoring // Grafana Faro + Prometheus

Recent Releases

v0.37.0 2026-04-06

+ IPNS signature storage and verification

* Fix sequence number mismatch in cached IPNS resolves
* Align file upload IPNS sequence and verify file pointers

v0.36.0 2026-04-01

+ Expose API version on /health endpoint

* Replace emoji sidebar icons with consistent inline SVGs

v0.35.0 2026-03-31

+ Desktop vault settings integration
+ User-configurable vault parameters

v0.34.0 2026-03-30

+ Parallel batch upload pipeline with Web Worker encryption

v0.32.0 2026-03-30

+ Code hygiene and structured logging
+ Infrastructure hardening
+ Web app observability (Grafana Faro)
+ AES-256-CTR streaming media encryption
+ TEE worker migration to Phala Cloud CVM

View Full Changelog