Security Architecture

Document Version: 1.0.4 • Cryptographic Specifications

HighSubmit Vault is architected from the ground up on the principle of **Zero-Knowledge**. We do not know, store, or transmit your master cryptographic keys. All encryption and decryption operations are computed locally inside the developer's client environment before payload storage.


1. Client-Side Encryption (AES-256-GCM)

All passwords, configuration keys, database URLs, and API tokens are encrypted in the client application (browser or CLI tool) before uploading to HighSubmit servers.

  • Cipher: AES-256-GCM (Advanced Encryption Standard in Galois/Counter Mode). This provides both confidentiality and authenticity verification.
  • Nonce Generation: Every payload encryption uses a unique 96-bit cryptographically secure pseudorandom initialization vector (IV) to prevent replay and ciphertext matching attacks.

2. Argon2id Key Derivation

To generate local master decryption keys from user passwords, HighSubmit utilizes **Argon2id**, the winner of the Password Hashing Competition, configured to guard against hardware brute-forcing.

  • Memory Hardness: High memory configuration bounds to prevent GPU/ASIC acceleration attacks.
  • Zero Transmission: The derived master key never leaves your local runtime memory, and is never transmitted over HTTP/TLS interfaces.

3. Cloud Key Management System (KMS)

HighSubmit utilizes cloud Hardware Security Modules (HSMs) for server-side transport authorization signing.

  • AWS KMS Integration: Employs Envelope Encryption models using AWS KMS keys.
  • Active Access Verification: JIT session scopes verify active identity claims against cloud KMS constraints on every payload fetch transaction.