Security Architecture
Document Version: 1.0.4 • Cryptographic Specifications
HighSubmit Vault is architected from the ground up on the principle of **Zero-Knowledge**. We do not know, store, or transmit your master cryptographic keys. All encryption and decryption operations are computed locally inside the developer's client environment before payload storage.
1. Client-Side Encryption (AES-256-GCM)
All passwords, configuration keys, database URLs, and API tokens are encrypted in the client application (browser or CLI tool) before uploading to HighSubmit servers.
- Cipher: AES-256-GCM (Advanced Encryption Standard in Galois/Counter Mode). This provides both confidentiality and authenticity verification.
- Nonce Generation: Every payload encryption uses a unique 96-bit cryptographically secure pseudorandom initialization vector (IV) to prevent replay and ciphertext matching attacks.
2. Argon2id Key Derivation
To generate local master decryption keys from user passwords, HighSubmit utilizes **Argon2id**, the winner of the Password Hashing Competition, configured to guard against hardware brute-forcing.
- Memory Hardness: High memory configuration bounds to prevent GPU/ASIC acceleration attacks.
- Zero Transmission: The derived master key never leaves your local runtime memory, and is never transmitted over HTTP/TLS interfaces.
3. Cloud Key Management System (KMS)
HighSubmit utilizes cloud Hardware Security Modules (HSMs) for server-side transport authorization signing.
- AWS KMS Integration: Employs Envelope Encryption models using AWS KMS keys.
- Active Access Verification: JIT session scopes verify active identity claims against cloud KMS constraints on every payload fetch transaction.