VaultSync is designed with a Zero-Trust Coordinator architecture:
- Untrusted Coordinator: The coordinator is treated as an untrusted third party. It only sees encrypted document mutations and cannot read the underlying CRDT plaintext.
- End-to-End Encryption (E2EE): All data is encrypted on the client using X25519 for key exchange and ChaCha20Poly1305 for symmetric encryption before leaving the device.
- Nonce Uniqueness: Nonces are counter-based with a unique process prefix, guaranteeing that a nonce is never reused with the same key.
Keys can be rotated at any time by calling VaultSyncClient::rotate_keys().
- A new
NamespaceKeypairversion is generated. - All pending oplog entries in the local database are decrypted with the old key and re-encrypted with the new key version.
- The new key version is persisted to the local storage.
- The client updates the replica public key on the coordinator and re-registers.
- All future mutations use the new key version.
Critical cryptographic modules are located under crates/vaultsync-core/src/e2ee/:
keyring.rs- Public/private key management, derivation of symmetric keys, and zeroization of secret key material on drop using thezeroizecrate.encrypt.rs- Asymmetric encryption using unique counter-based nonces.decrypt.rs- Decryption logic reading nonces directly from payload.
- TOFU (Trust On First Use): Pinning of replica public keys is currently not enforced, which is scheduled for future SDK enhancements.
- Metadata Leakage: While document contents are fully encrypted, the coordinator can see metadata fields (e.g., document ID, record ID, and replica ID).