Medical records are among the most sensitive data a human can possess. In a world of frequent data breaches and cloud surveillance, storing these documents requires a standard that goes beyond simple "encryption." For MedVault, we implemented a Zero-Knowledge Encryption architecture, ensuring that your data remains invisible even to us.
The Principle of Zero-Knowledge
Zero-knowledge means that the service provider (Locikit) has exactly zero knowledge of the keys required to decrypt your data. Unlike traditional cloud storage where the provider manages the keys "on your behalf," MedVault ensures the keys are derived locally and never transmitted.
Key Derivation with Argon2id
The foundation of our security is the way we turn your master password into a cryptographic key. We use Argon2id, the winner of the Password Hashing Competition, with high-memory and high-iteration parameters to defend against GPU-accelerated brute-force attacks.
AES-256-GCM: The Gold Standard
Once the root key is derived, we utilize AES-256 in Galois/Counter Mode (GCM) for document encryption. GCM provides not just confidentiality, but also authenticity. If even a single bit of your encrypted file is tampered with, the decryption process will fail, alerting you to the integrity breach.
Per-File Nonces
Every document in MedVault is encrypted with a unique, cryptographically secure random nonce (number used once). This prevents "pattern analysis" where an attacker could deduce information by comparing two encrypted files that happen to share the same content.
Secure Sharing via E2EE
When you choose to share a medical report with a doctor, MedVault utilizes a Double-Ratchet inspired end-to-end encryption protocol. We generate temporary public/private key pairs (X25519) to establish a secure channel, ensuring that the document moves directly from your device to theirs without ever being readable in transit.
- Local-Only Keys: Your master key never leaves your device's Secure Enclave.
- Zero-Knowledge Backup: Encrypted backups are stored as opaque blobs; we cannot "reset" your password or recover your data if you lose your key.
- Open Cryptography: We rely exclusively on audited, open-source cryptographic libraries (like libsodium and Tink).
Technical Sovereignty
MedVault isn't just a vault; it's a statement. By putting the power of high-grade cryptography into the hands of individual users, we are reclaiming medical privacy from the bureaucratic cloud. Your health, your data, your keys.
