PhotonFile Logo

PhotonFile

Public technical security overview

Photon Vault Technical Security Overview

Photon Vault is designed around client-controlled key material, encrypted server-side blobs, and authorized client-side decryption. This page summarizes the public security properties and cryptographic design goals behind the system.

Read the overview Relay technology

Security model

Encryption occurs before protected file data leaves the client. PhotonFile infrastructure stores encrypted blobs and operational metadata, but is not intended to possess the keys required to decrypt vault contents.

Layered cryptography

Vault-level key material protects access boundaries, while each file uses its own encryption key and file data is encrypted in chunks with authenticated encryption.

Post-quantum-ready posture

Public-key-based access flows use ML-KEM-768 for post-quantum-ready key establishment, while file confidentiality remains protected by high-performance symmetric authenticated encryption.

Core design principles

Cryptographic approach

Photon Vault uses a layered encryption model. User credentials unlock user-held encryption material, vault-level key material protects access to vault contents, and individual files use their own encryption keys.

File data is encrypted client-side in chunks using authenticated encryption. This supports efficient handling of large files, parallel upload and download behavior, object-storage compatibility, and integrity-checked decryption at the chunk level.

The structure is intended to support efficient rewrapping and collaboration without requiring full re-encryption of all stored files during common key-management operations.

Key hierarchy and isolation

  • User-level protection for locally controlled access
  • Vault-level protection for membership and access boundaries
  • Per-file encryption keys for individual object isolation
  • Scoped rewrapping for shares and secure inbound uploads

Password or account-level changes do not require re-encrypting all file data, compromise of one file key does not expose unrelated files, and collaborative access can be delegated through wrapped key material.

Vaults as security boundaries

A vault is the primary security boundary in Photon Vault. Anyone granted access to a vault is trusted within that vault's encryption domain. When stronger isolation is required, separate vaults can be created instead of building complex internal cryptographic hierarchies.

This makes it straightforward to separate work by team, project, client, organization, or sensitivity level.

Team access model

Authorized team members receive the cryptographic material needed to access the vault through protected client-side key handling. The server facilitates coordination and storage, but plaintext access is intended to remain limited to authorized clients.

Scoped sharing

Share access is limited to the specific target resource. File encryption keys are re-wrapped specifically for the share context rather than exposing broader vault-level access.

Secure Inbox

External senders can upload without normal vault access. Uploaded files are encrypted client-side before upload, and vault members can later access them through authorized clients. In the post-quantum-ready architecture, Secure Inbox access material is built around ML-KEM-768-based asymmetric protection.

Metadata visibility

Photon Vault is designed so PhotonFile does not have access to plaintext vault contents. Limited operational metadata is still required to operate the system, including account and service identifiers, vault and object identifiers, file sizes, transfer activity, and share-link or upload events.

That metadata supports routing, storage, access control, and service reliability, while encrypted payload contents remain protected from the service operator.

Design goals