Security & Encryption - Fula API Documentation

Security Overview

Fula implements a Trust-No-One (TNO) security model where all encryption happens client-side. Storage nodes and the gateway never see your plaintext data or encryption keys.

🔐

Client-Side Encryption

All encryption/decryption happens on your device before data leaves

🔑

User-Held Keys

Only you possess the private keys needed to decrypt your data

✅

Verified Integrity

Cryptographic proofs detect any tampering, even from malicious nodes

🔄

Forward Secrecy

Ephemeral keys ensure past communications remain secure

Cryptographic Primitives Stack

Layer	Algorithm	Purpose	Security Level
🛡️ Quantum-Safe KEM	X25519 + ML-KEM-768	Hybrid key encapsulation (classical + post-quantum)	NIST Level 3 + 128-bit classical
Key Exchange	X25519	Classical Elliptic Curve Diffie-Hellman	128-bit classical
Post-Quantum KEM	ML-KEM-768 (Kyber)	NIST FIPS 203 lattice-based KEM	192-bit post-quantum (NIST Level 3)
Key Derivation	HKDF-SHA256	Combine X25519 + ML-KEM shared secrets	256-bit output
Symmetric Encryption	AES-256-GCM	Authenticated encryption of data	256-bit (quantum-resistant)
Alternative Cipher	ChaCha20-Poly1305	Authenticated encryption (software-optimized)	256-bit (quantum-resistant)
Hashing	BLAKE3	Content addressing, integrity verification	256-bit (quantum-resistant)
Streaming Verification	Bao	Incremental integrity verification	Merkle tree based

🛡️ Post-Quantum Security: The hybrid X25519 + ML-KEM-768 approach provides defense-in-depth. If quantum computers break X25519, ML-KEM-768 still protects your data. If ML-KEM has unforeseen weaknesses, X25519 provides classical security. ML-KEM-768 is NIST FIPS 203 standardized (formerly Kyber768).

Trust Model

🟢 Trusted Zone (Your Device)

Private Keys Never leave your device

Plaintext Data Only exists here

Encryption/Decryption Performed locally

Encrypted Data Only →

🔴 Untrusted Zone (Network)

Fula Gateway Sees only ciphertext

IPFS Nodes Store encrypted blocks

Network Transport All data is encrypted

Security Assumptions

Your device is secure - If compromised, keys can be extracted
Cryptographic primitives are secure - X25519, AES-256-GCM, BLAKE3 are industry-standard
Random number generator is secure - Using OS-provided CSPRNG (OsRng)

API Authentication

Fula supports both Bearer tokens and AWS Signature V4, enabling full S3 SDK compatibility.

Authentication Methods

🔑 Bearer Token (Simple)

For HTTP clients, REST APIs, and custom integrations.

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

📦 AWS Signature V4 (S3 Compatible)

For boto3, AWS CLI, aws-sdk-js, and all S3 tools.

Authorization: AWS4-HMAC-SHA256 
  Credential=JWT:eyJhbGci.../20231207/us-east-1/s3/aws4_request,
  SignedHeaders=host;x-amz-date,
  Signature=abc123...

AWS Sig V4 with JWT

Embed your JWT token in the AWS access key with a JWT: prefix. This enables full compatibility with standard S3 clients while maintaining JWT-based authentication.

# Python (boto3)
import boto3

s3 = boto3.client('s3',
    endpoint_url='https://gateway.example.com',
    aws_access_key_id=f'JWT:{jwt_token}',  # JWT embedded here
    aws_secret_access_key='not-used',       # Not validated
    region_name='us-east-1'
)

s3.put_object(Bucket='my-bucket', Key='file.txt', Body=b'Hello!')

# AWS CLI (~/.aws/credentials)
[fula]
aws_access_key_id = JWT:eyJhbGciOiJIUzI1NiIs...
aws_secret_access_key = not-used

# Usage:
aws s3 cp file.txt s3://my-bucket/ --endpoint-url https://gateway.example.com --profile fula

// JavaScript (AWS SDK v3)
import { S3Client, PutObjectCommand } from "@aws-sdk/client-s3";

const s3 = new S3Client({
  endpoint: "https://gateway.example.com",
  region: "us-east-1",
  forcePathStyle: true,
  credentials: {
    accessKeyId: `JWT:${jwtToken}`,
    secretAccessKey: "not-used"
  }
});

await s3.send(new PutObjectCommand({ Bucket: "my-bucket", Key: "file.txt", Body: "Hello!" }));

Security Properties

JWT Validation: Full signature, expiry, and claims validation
Replay Protection: x-amz-date must be within 15 minutes
Scope Enforcement: JWT scopes control read/write/delete permissions
S3 Compatibility: Works with boto3, AWS CLI, aws-sdk-js, and all S3 tools

Encryption Flow

Complete data flow from plaintext to encrypted storage and back.

📤 Upload (Encryption) Flow

1 Generate DEK

A fresh 256-bit Data Encryption Key (DEK) is generated using CSPRNG for each object.

DEK = random_bytes(32)  // 256 bits from OsRng

2 Encrypt Data with DEK

Plaintext is encrypted using AES-256-GCM with a random 96-bit nonce.

nonce = random_bytes(12)  // 96 bits
ciphertext = AES-256-GCM.encrypt(DEK, nonce, plaintext)
// ciphertext includes 128-bit authentication tag

3 Wrap DEK with HPKE

The DEK is encrypted using HPKE for the owner's public key.

ephemeral_secret = X25519.generate()
ephemeral_public = X25519.public_key(ephemeral_secret)
shared_secret = X25519.dh(ephemeral_secret, recipient_public)
wrap_key = BLAKE3.derive_key("fula-hpke-v1", shared_secret)
wrapped_DEK = AES-256-GCM.encrypt(wrap_key, nonce2, DEK)

4 Store with Metadata

Ciphertext is uploaded with encryption metadata (nonce, wrapped DEK, ephemeral public key).

metadata = {
  "x-fula-encrypted": "true",
  "x-fula-encryption": {
    "version": 1,
    "algorithm": "AES-256-GCM",
    "nonce": base64(nonce),
    "wrapped_key": {
      "ephemeral_public": base64(ephemeral_public),
      "ciphertext": base64(wrapped_DEK)
    }
  }
}

📥 Download (Decryption) Flow

1 Fetch Encrypted Data

Retrieve ciphertext and encryption metadata from the gateway.

2 Unwrap DEK

Use your secret key to derive shared secret and decrypt the DEK.

shared_secret = X25519.dh(your_secret_key, ephemeral_public)
wrap_key = BLAKE3.derive_key("fula-hpke-v1", shared_secret)
DEK = AES-256-GCM.decrypt(wrap_key, nonce2, wrapped_DEK)

3 Decrypt Data

Use the recovered DEK to decrypt the ciphertext.

plaintext = AES-256-GCM.decrypt(DEK, nonce, ciphertext)
// Authentication tag verified automatically

Key Architecture (KEK/DEK)

Fula uses a two-tier key hierarchy for efficient and secure encryption.

🔑 KEK (Key Encryption Key)

Type: X25519 Key Pair (Asymmetric)

Size: 256-bit (32 bytes)

Lifetime: Long-lived (until rotation)

Purpose: Encrypt/wrap DEKs, enable sharing

Secret Key Kept private, never transmitted

Public Key Shared freely for receiving encrypted data

Wraps ↓

🗝️ DEK (Data Encryption Key)

Type: AES-256 Key (Symmetric)

Size: 256-bit (32 bytes)

Lifetime: Per-object (unique for each file)

Purpose: Encrypt actual file content

Encrypts ↓

📄 Your Data

Files, photos, documents, any content you store

Benefits of KEK/DEK Architecture

🔄 Efficient Key Rotation

Rotate KEK without re-encrypting all data - just re-wrap existing DEKs

🤝 Secure Sharing

Share access by wrapping DEK with recipient's public key

⚡ Performance

Symmetric DEKs are fast; asymmetric KEK only used for small DEKs

🔒 Key Isolation

Compromise of one DEK doesn't affect other files

HPKE Implementation

Hybrid Public Key Encryption following RFC 9180 for secure key encapsulation.

HPKE Configuration

KEM (Key Encapsulation)	DHKEM(X25519, HKDF-SHA256)
KDF (Key Derivation)	BLAKE3 with context "fula-hpke-v1"
AEAD (Encryption)	AES-256-GCM (default) or ChaCha20-Poly1305

HPKE Encryption Process

┌─────────────────────────────────────────────────────────────────────┐
│                         SENDER (Encryptor)                          │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│  ┌─────────────┐         ┌──────────────────────────────────────┐  │
│  │ Ephemeral   │         │        Recipient's Public Key         │  │
│  │ Secret Key  │         │         (known to sender)             │  │
│  │ (random)    │         └──────────────────────────────────────┘  │
│  └──────┬──────┘                          │                        │
│         │                                 │                        │
│         ▼                                 ▼                        │
│  ┌──────────────────────────────────────────────────────────────┐  │
│  │              X25519 Diffie-Hellman Key Exchange               │  │
│  │     shared_secret = DH(ephemeral_secret, recipient_public)    │  │
│  └──────────────────────────────┬───────────────────────────────┘  │
│                                 │                                   │
│                                 ▼                                   │
│  ┌──────────────────────────────────────────────────────────────┐  │
│  │               BLAKE3 Key Derivation Function                  │  │
│  │        encryption_key = derive_key("fula-hpke-v1",            │  │
│  │                                    shared_secret)             │  │
│  └──────────────────────────────┬───────────────────────────────┘  │
│                                 │                                   │
│                                 ▼                                   │
│  ┌──────────────────────────────────────────────────────────────┐  │
│  │                  AES-256-GCM Encryption                       │  │
│  │        ciphertext = encrypt(encryption_key, nonce, DEK)       │  │
│  └──────────────────────────────────────────────────────────────┘  │
│                                                                     │
│  OUTPUT: { ephemeral_public_key, nonce, ciphertext }               │
└─────────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────────┐
│                       RECIPIENT (Decryptor)                         │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│  ┌─────────────┐         ┌──────────────────────────────────────┐  │
│  │ Recipient's │         │       Ephemeral Public Key            │  │
│  │ Secret Key  │         │       (from ciphertext)               │  │
│  │ (private)   │         └──────────────────────────────────────┘  │
│  └──────┬──────┘                          │                        │
│         │                                 │                        │
│         ▼                                 ▼                        │
│  ┌──────────────────────────────────────────────────────────────┐  │
│  │              X25519 Diffie-Hellman Key Exchange               │  │
│  │     shared_secret = DH(recipient_secret, ephemeral_public)    │  │
│  └──────────────────────────────┬───────────────────────────────┘  │
│                                 │                                   │
│                                 ▼                                   │
│  ┌──────────────────────────────────────────────────────────────┐  │
│  │           Same shared_secret → Same encryption_key            │  │
│  └──────────────────────────────┬───────────────────────────────┘  │
│                                 │                                   │
│                                 ▼                                   │
│  ┌──────────────────────────────────────────────────────────────┐  │
│  │                  AES-256-GCM Decryption                       │  │
│  │            DEK = decrypt(encryption_key, nonce,               │  │
│  │                         ciphertext)                           │  │
│  └──────────────────────────────────────────────────────────────┘  │
└─────────────────────────────────────────────────────────────────────┘

Security Properties

✅

Forward Secrecy

Each encryption uses a fresh ephemeral key pair. Compromise of long-term keys doesn't decrypt past messages.

✅

Recipient Authentication

Only the holder of the recipient's secret key can derive the shared secret and decrypt.

✅

Ciphertext Integrity

AES-GCM provides authenticated encryption - any tampering is detected.

Symmetric Encryption (AEAD)

Authenticated Encryption with Associated Data for file content.

Supported Ciphers

Default

AES-256-GCM

Key Size: 256 bits (32 bytes)
Nonce Size: 96 bits (12 bytes)
Tag Size: 128 bits (16 bytes)
Best For: Hardware with AES-NI support

Alternative

ChaCha20-Poly1305

Key Size: 256 bits (32 bytes)
Nonce Size: 96 bits (12 bytes)
Tag Size: 128 bits (16 bytes)
Best For: Software-only implementations

Ciphertext Structure

Ciphertext Encrypted plaintext (same length as input)

Auth Tag 16 bytes

output_length = plaintext_length + 16 bytes (tag)

Nonce Generation

⚠️ Critical: Nonces must NEVER be reused with the same key.

Fula's Strategy: Random Nonces

96-bit nonces generated from CSPRNG (OsRng)
Collision probability: ~2^-48 after 2⁴⁸ encryptions
Each file gets a unique DEK, so nonce space is per-DEK
Safe for virtually unlimited encryptions per file

Data Integrity Verification

Cryptographic guarantees that your data hasn't been tampered with.

Multi-Layer Integrity

1

AEAD Authentication Tag

Every encrypted block includes a 128-bit authentication tag that verifies both ciphertext integrity and the encryption key used.

✅ Detects: bit flips, truncation, appending

2

Content Addressing (CID)

Every block stored in IPFS has a CID derived from its BLAKE3 hash. Retrieving by CID guarantees content matches.

✅ Detects: storage corruption, node manipulation

3

Bao Streaming Verification

For large files, Bao provides Merkle tree-based verification allowing you to verify chunks before downloading the entire file.

✅ Detects: partial corruption in large files

BLAKE3 Hashing

⚡ Speed

Faster than MD5, SHA-1, SHA-256, SHA-3 on modern CPUs

🔒 Security

256-bit security level, resistant to length extension

🔀 Parallelizable

Scales with CPU cores for large data

🔑 KDF Mode

Built-in key derivation with context separation

Bao Verified Streaming

                        Root Hash (32 bytes)
                              │
              ┌───────────────┴───────────────┐
              │                               │
         Hash(L||R)                       Hash(L||R)
              │                               │
       ┌──────┴──────┐                 ┌──────┴──────┐
       │             │                 │             │
    Hash(L||R)   Hash(L||R)        Hash(L||R)   Hash(L||R)
       │             │                 │             │
    ┌──┴──┐       ┌──┴──┐          ┌──┴──┐       ┌──┴──┐
    │     │       │     │          │     │       │     │
  Chunk Chunk   Chunk Chunk      Chunk Chunk   Chunk Chunk
    1     2       3     4          5     6       7     8

  • Verify any chunk with O(log n) proof from root
  • Detect corruption before downloading entire file
  • Stream large files with incremental verification

Key Management

How Fula handles key generation, storage, rotation, and recovery.

Key Generation

Random Source	OsRng (Operating System CSPRNG)
KEK Generation	32 random bytes → X25519 secret key
DEK Generation	32 random bytes → AES-256 key
Nonce Generation	12 random bytes per encryption

Key Rotation

1

Generate New KEK

Create a fresh X25519 key pair

2

Re-wrap DEKs

Decrypt each DEK with old KEK, re-encrypt with new KEK

3

Update Metadata

Store new wrapped DEKs, increment version counter

4

Secure Delete Old KEK

Zeroize old secret key from memory

Note: Data does NOT need to be re-encrypted - only the DEK wrappers change.

Key Backup & Recovery

⚠️

Critical: If you lose your secret key, your data is UNRECOVERABLE.

Fula uses true end-to-end encryption. There are no backdoors, no "forgot password" recovery, no master keys.

Recommended Backup Strategies

Export as Base64: secret_key.to_base64() → store in password manager
Hardware Security Module: Store key in HSM or secure enclave
Paper Backup: Print Base64 key, store in secure physical location
Split Key: Use Shamir's Secret Sharing for distributed backup

Memory Security

All key types implement Zeroize and ZeroizeOnDrop:

Keys are automatically zeroed when dropped from memory
Prevents keys from lingering in memory after use
Protects against memory dump attacks

// From fula-crypto/src/keys.rs
#[derive(Clone, Zeroize, ZeroizeOnDrop)]
pub struct SecretKey {
    bytes: [u8; 32],
}
// When SecretKey is dropped, bytes are overwritten with zeros

Secure File & Folder Sharing

Share files and folders with others without exposing your master key.

How Sharing Works

Fula enables secure sharing through DEK-level access grants. When you share a file or folder, you encrypt only the relevant DEK for the recipient's public key - your master key (KEK) is never revealed.

┌─────────────────────────────────────────────────────────────────┐
│                    SHARE TOKEN CREATION                          │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  Owner has:                    Recipient has:                    │
│  ┌──────────────┐              ┌──────────────┐                 │
│  │ KEK (secret) │              │ KEK (secret) │                 │
│  │ File DEK     │              │ Public Key   │                 │
│  └──────────────┘              └──────────────┘                 │
│         │                              │                         │
│         │ Owner encrypts DEK           │                         │
│         │ for recipient's public key   │                         │
│         ▼                              │                         │
│  ┌─────────────────────────────────────┴──────────────────────┐ │
│  │                    SHARE TOKEN                              │ │
│  │  • wrapped_dek: HPKE.encrypt(recipient_pub, file_DEK)      │ │
│  │  • path_scope: "/photos/vacation/"                         │ │
│  │  • expires_at: 1735084800 (optional)                       │ │
│  │  • permissions: { read: true, write: false }               │ │
│  └────────────────────────────────────────────────────────────┘ │
│                              │                                   │
│                              ▼                                   │
│  Recipient decrypts wrapped_dek using their secret key          │
│  → Gets access to file_DEK only, NOT owner's KEK                │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

Complete Sharing Example: Alice Shares Photos with Bob

This end-to-end example shows how sharing works in Fula, from key setup through content access:

use fula_crypto::{
    // Key management
    KekKeyPair, DekKey, KeyManager,
    // Sharing primitives
    ShareBuilder, ShareRecipient, SharePermissions, ShareMode, SnapshotBinding,
    // Inbox for async/offline sharing
    ShareEnvelopeBuilder, ShareInbox,
    // Secret links
    SecretLinkBuilder, SecretLink,
};

// ══════════════════════════════════════════════════════════════════════════════
// SETUP: Alice and Bob each have their own key pairs
// ══════════════════════════════════════════════════════════════════════════════

// Alice (owner) creates her identity
let alice_keypair = KekKeyPair::generate();
let alice_public_key = alice_keypair.public_key().clone();

// Bob (recipient) creates his identity
let bob_keypair = KekKeyPair::generate();
let bob_public_key = bob_keypair.public_key().clone();

// Alice has encrypted files with a DEK for her /photos/ folder
let photos_dek = DekKey::generate();

// ══════════════════════════════════════════════════════════════════════════════
// OPTION 1: Direct Share (synchronous - both online)
// ══════════════════════════════════════════════════════════════════════════════

// Alice creates a share token for Bob
let share_token = ShareBuilder::new(
    &alice_keypair,           // Alice's keypair (for future signing)
    &bob_public_key,          // Bob's public key (DEK encrypted for him)
    &photos_dek,              // The DEK that decrypts the files
)
    .path_scope("/photos/vacation/")  // Bob can only access this folder
    .expires_in(7 * 24 * 3600)        // Expires in 1 week
    .read_only()                       // Bob cannot modify files
    .build()?;

// Alice sends share_token to Bob (via any channel - encrypted for Bob only)
// The token contains: wrapped DEK, path scope, expiry, permissions

// Bob receives and accepts the share
let bob_handler = ShareRecipient::new(&bob_keypair);
let access = bob_handler.accept_share(&share_token)?;

// Bob can now decrypt files in /photos/vacation/
assert!(access.is_path_allowed("/photos/vacation/beach.jpg"));  // ✓ allowed
assert!(!access.is_path_allowed("/photos/family/"));             // ✗ denied
assert!(access.can_read);                                        // ✓ read access
assert!(!access.can_write);                                      // ✗ no write

// Bob uses access.dek to decrypt file content:
// let plaintext = aead.decrypt(&nonce, &ciphertext)?;

// ══════════════════════════════════════════════════════════════════════════════
// OPTION 2: Secret Link (shareable URL with key in fragment)
// ══════════════════════════════════════════════════════════════════════════════

// Alice creates a secret link she can send via email/chat
let secret_link = SecretLinkBuilder::new(&share_token, "https://gateway.functionland.io")
    .label("Hawaii Trip 2024")
    .build()?;

let url = secret_link.to_url()?;
// => "https://gateway.functionland.io/fula/share/abc123#eyJ2ZXJzaW9uIjoxLC..."
//    Server sees: /fula/share/abc123 (opaque ID)
//    Client sees: #... fragment with encrypted token

// Bob opens the link in his browser/app
let parsed_link = SecretLink::parse(&url)?;
let extracted_token = parsed_link.extract_token();

// Bob accepts and uses it as above
let access = bob_handler.accept_share(&extracted_token)?;

// ══════════════════════════════════════════════════════════════════════════════
// OPTION 3: Async Inbox (offline sharing - Bob picks up later)
// ══════════════════════════════════════════════════════════════════════════════

// Alice creates a share envelope with rich metadata
let (envelope, inbox_entry) = ShareEnvelopeBuilder::new(
    &alice_keypair,
    &bob_public_key,
    &photos_dek,
)
    .path_scope("/photos/vacation/")
    .expires_in(7 * 24 * 3600)
    .read_only()
    .label("Hawaii Trip 2024")                    // Human-readable label
    .message("Hey Bob, check out these pics!")    // Personal message
    .sharer_name("Alice")                         // Sharer display name
    .metadata("album", "vacation-2024")           // Custom metadata
    .build()?;

// Alice stores the inbox entry for Bob (via PrivateForest)
let inbox_path = ShareInbox::entry_storage_path(&bob_public_key, &inbox_entry.id);
// => "/.fula/inbox/<bob-key-hash>/<entry-id>.share"

// Later: Bob comes online and checks his inbox
let mut bob_inbox = ShareInbox::new();

// Bob loads entries from storage
bob_inbox.add_entry(inbox_entry);

// Bob lists pending shares
let pending = bob_inbox.list_pending(&bob_keypair);
println!("You have {} new shares", pending.len());  // "You have 1 new shares"

// Bob accepts Alice's share
let entry_id = pending[0].id.clone();
let accepted_envelope = bob_inbox.accept_entry(&entry_id, &bob_keypair)?;

println!("From: {:?}", accepted_envelope.sharer_name);    // "Alice"
println!("Message: {:?}", accepted_envelope.message);     // "Hey Bob, check out..."
println!("Path: {}", accepted_envelope.token.path_scope); // "/photos/vacation/"

// Bob uses the ShareToken from the envelope
let access = bob_handler.accept_share(&accepted_envelope.token)?;

// ══════════════════════════════════════════════════════════════════════════════
// OPTION 4: Snapshot Share (immutable version only)
// ══════════════════════════════════════════════════════════════════════════════

// Alice wants to share a specific report version that won't change
let report_hash = "abc123def456...";  // BLAKE3 hash of file content
let report_size = 1024;               // File size in bytes
let report_modified = 1699876543;     // Modification timestamp

let snapshot_share = ShareBuilder::new(&alice_keypair, &bob_public_key, &photos_dek)
    .path_scope("/documents/report.pdf")
    .snapshot_with(report_hash, report_size, report_modified)  // Bind to version
    .read_only()
    .build()?;

// Later: Bob tries to access the file
let current_hash = "abc123def456...";  // Current file hash
if snapshot_share.is_snapshot_valid(current_hash) {
    // File hasn't changed, access granted
    let access = bob_handler.accept_share(&snapshot_share)?;
} else {
    // File was modified, snapshot share is no longer valid
    println!("The shared file has been modified since the share was created");
}

// ══════════════════════════════════════════════════════════════════════════════
// SUMMARY: Who Controls What
// ══════════════════════════════════════════════════════════════════════════════
//
// ALICE (Application/Owner) decides:
//   - WHO to share with (Bob's public key)
//   - WHAT to share (path scope)
//   - HOW LONG (expiry)
//   - WHAT PERMISSIONS (read/write/delete)
//   - WHAT MODE (temporal vs snapshot)
//
// FULA PROTOCOL handles:
//   - HPKE encryption of DEK so only Bob can decrypt
//   - Unique share ID generation
//   - Expiry validation
//   - Path scope enforcement
//   - Snapshot binding verification
//   - Inbox entry encryption
//   - Secret link key isolation (fragment never sent to server)

Snapshot vs Temporal Share Modes (WNFS-Inspired)

Fula supports two share modes that determine how access evolves over time, inspired by WNFS's AccessKey semantics:

🔄 Temporal Mode (Default)

Recipients always see the latest version of shared content.

Access to current state of files/folders
Updates by owner are visible to recipients
Best for ongoing collaboration

📸 Snapshot Mode

Recipients can only access the exact version at share creation time.

Bound to specific content hash, size, and timestamp
If content changes, share becomes invalid
Best for compliance, auditing, or "point-in-time" sharing

use fula_crypto::{ShareBuilder, SnapshotBinding, ShareMode, KekKeyPair, DekKey};

let owner = KekKeyPair::generate();
let recipient = KekKeyPair::generate();
let dek = DekKey::generate();

// Temporal share (default) - access evolves with content
let temporal_share = ShareBuilder::new(&owner, recipient.public_key(), &dek)
    .path_scope("/photos/vacation/")
    .temporal()  // or omit - temporal is default
    .build()?;

// Snapshot share - bound to specific content version
let snapshot_share = ShareBuilder::new(&owner, recipient.public_key(), &dek)
    .path_scope("/documents/contract.pdf")
    .snapshot_with(
        "abc123def456",  // content hash (BLAKE3)
        102400,          // size in bytes
        1700000000,      // modification timestamp
    )
    .build()?;

// Verify snapshot is still valid
let verification = snapshot_share.verify_snapshot(
    "abc123def456",  // current content hash
    102400,          // current size
    1700000000,      // current timestamp
)?;
assert_eq!(verification, SnapshotVerification::Valid);

// Quick check
assert!(snapshot_share.is_snapshot_valid("abc123def456"));
assert!(!snapshot_share.is_snapshot_valid("different_hash"));

When to Use Each Mode

Use Case	Recommended Mode
Sharing a folder for ongoing collaboration	Temporal
Sharing a signed contract for audit trail	Snapshot
Giving access to a photo album that may be updated	Temporal
Sharing a specific version of a report	Snapshot

Async/Offline Inbox Sharing (WNFS-Inspired)

Store-and-forward sharing where recipients can pick up shares later without the sharer being online.

How It Works

Inspired by WNFS's exchange directories, Fula supports asynchronous sharing where:

Sharer creates an encrypted ShareEnvelope and stores it in the recipient's inbox
Recipient can later list, decrypt, and accept shares when convenient
No coordination required - both parties can be offline at different times

Sharer                          Storage                         Recipient
  │                                │                                │
  │ 1. Create ShareEnvelope        │                                │
  │    + HPKE encrypt for recipient│                                │
  │                                │                                │
  │ 2. Store in inbox ─────────────│►[Encrypted entry stored]       │
  │                                │                                │
  │                                │  [Later, recipient comes online]
  │                                │                                │
  │                                │◄──3. List inbox entries ───────│
  │                                │                                │
  │                                │◄──4. Decrypt & accept ─────────│
  │                                │                                │
  │                                │  5. Use ShareToken to access   │
  │                                │     shared content             │

use fula_crypto::{ShareEnvelopeBuilder, ShareInbox, KekKeyPair, DekKey};

// === SHARER FLOW ===
let sharer = KekKeyPair::generate();
let recipient = KekKeyPair::generate();
let dek = DekKey::generate();

// Create share envelope with metadata
let (envelope, entry) = ShareEnvelopeBuilder::new(
    &sharer,
    recipient.public_key(),
    &dek
)
    .path_scope("/photos/vacation/")
    .expires_in(7 * 24 * 3600)  // 1 week
    .read_only()
    .label("Vacation Photos 2024")
    .message("Check out these pics from Hawaii!")
    .sharer_name("Alice")
    .build()?;

// Store entry in recipient's inbox (via PrivateForest)
let inbox_path = ShareInbox::entry_storage_path(recipient.public_key(), &entry.id);
// put_object_flat(bucket, &inbox_path, serialize(&entry), ...);

// === RECIPIENT FLOW ===
let mut inbox = ShareInbox::new();

// Load entries from storage
inbox.add_entry(entry);

// List pending shares
let pending = inbox.list_pending(&recipient);
println!("You have {} new shares", pending.len());

// Accept a share
let accepted = inbox.accept_entry(&entry_id, &recipient)?;
println!("From: {:?}", accepted.sharer_name);  // "Alice"
println!("Message: {:?}", accepted.message);   // "Check out these pics..."

// Now use the ShareToken to access content
let dek = recipient.accept_share(&accepted.token)?;

Key Features

📬 Offline Delivery

Shares are stored encrypted until recipient comes online

🔒 End-to-End Encrypted

Only recipient can decrypt inbox entries using HPKE

📝 Rich Metadata

Include labels, messages, and sharer info with each share

⏰ Auto-Expiry

Configurable TTL for inbox entries (default: 30 days)

Subtree Keys (Peergos Cryptree-Inspired)

Allocate separate DEKs for major folders for better revocation and least privilege.

What are Subtree Keys?

Inspired by Peergos Cryptree, Fula supports a shallow key hierarchy where top-level folders can have their own DEKs:

Master DEK (bucket-level)
     │
     ├── /photos/ ─── Subtree DEK A ─── [beach.jpg, sunset.jpg, ...]
     │
     ├── /documents/ ─── Subtree DEK B ─── [report.pdf, notes.txt, ...]
     │
     └── /apps/myapp/ ─── Subtree DEK C ─── [config.json, data.bin, ...]

Sharing /photos/ only exposes Subtree DEK A.
Revoking that share only requires re-keying /photos/, not the whole bucket.

Key Benefits

🔄 Efficient Revocation

Re-key just one subtree instead of rotating the entire bucket

🔒 Least Privilege

A subtree share cannot be escalated to access unrelated data

⚡ Low Overhead

Still uses a single PrivateForest - no structural changes needed

use fula_crypto::{SubtreeKeyManager, SubtreeShareBuilder, DekKey, KekKeyPair};

// Create manager with master DEK
let master_dek = DekKey::generate();
let mut manager = SubtreeKeyManager::with_master_dek(master_dek);

// Create subtrees with their own DEKs
let (photos_dek, encrypted_photos) = manager.create_subtree("/photos/")?;
let (docs_dek, encrypted_docs) = manager.create_subtree("/documents/")?;

// Resolve DEK for a file path
let dek = manager.resolve_dek("/photos/vacation/beach.jpg");  // Returns photos_dek

// Share a subtree with someone
let owner = KekKeyPair::generate();
let recipient = KekKeyPair::generate();

let share = SubtreeShareBuilder::new(
    &owner,
    recipient.public_key(),
    &photos_dek,
    "/photos/",
    1,  // version
)
    .expires_in(86400)  // 24 hours
    .read_only()
    .build()?;

// Rotate subtree key after revocation
let rotation = manager.rotate_subtree("/photos/")?;
// rotation.new_dek is now used for /photos/*
// Old shares become invalid

When to Use Subtree Keys

Scenario	Recommendation
Sharing app-specific data folders	Use subtree DEK per app namespace
Sharing project folders with different teams	Use subtree DEK per project
Need to revoke access to specific shared folder	Rotate just that subtree's DEK
Single user, no sharing	Master DEK is sufficient

Full Filesystem Key Rotation

Rotate your KEK without re-encrypting file content.

Why Rotate Keys?

Suspected Compromise: If you think your key might be exposed
Regular Security Hygiene: Periodic rotation limits exposure window
Personnel Changes: When someone with key access leaves
Compliance Requirements: Some regulations mandate key rotation

Rotation Process

┌─────────────────────────────────────────────────────────────────┐
│                      KEY ROTATION FLOW                           │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  BEFORE ROTATION:                                                │
│  ┌─────────────┐     wraps      ┌────────────┐                  │
│  │  KEK v1     │ ──────────────→│   DEK A    │──→ File A        │
│  │ (current)   │                └────────────┘                  │
│  │             │     wraps      ┌────────────┐                  │
│  │             │ ──────────────→│   DEK B    │──→ File B        │
│  └─────────────┘                └────────────┘                  │
│                                                                  │
│  ROTATION STEP 1: Generate new KEK                               │
│  ┌─────────────┐                ┌─────────────┐                 │
│  │  KEK v1     │                │  KEK v2     │                 │
│  │ (previous)  │                │ (current)   │                 │
│  └─────────────┘                └─────────────┘                 │
│                                                                  │
│  ROTATION STEP 2: Re-wrap each DEK                               │
│                                                                  │
│  For each file:                                                  │
│    1. Decrypt DEK with KEK v1                                    │
│    2. Re-encrypt DEK with KEK v2                                 │
│    3. Update wrapped DEK in metadata                             │
│                                                                  │
│  AFTER ROTATION:                                                 │
│  ┌─────────────┐     wraps      ┌────────────┐                  │
│  │  KEK v2     │ ──────────────→│   DEK A    │──→ File A        │
│  │ (current)   │                └────────────┘   (unchanged)    │
│  │             │     wraps      ┌────────────┐                  │
│  │             │ ──────────────→│   DEK B    │──→ File B        │
│  └─────────────┘                └────────────┘   (unchanged)    │
│                                                                  │
│  Note: File content is NEVER re-encrypted!                       │
│        Only the DEK wrappers are updated.                        │
└─────────────────────────────────────────────────────────────────┘

Code Example

use fula_crypto::{KekKeyPair, DekKey, FileSystemRotation};

// Initialize with current keypair
let keypair = KekKeyPair::generate();
let mut fs = FileSystemRotation::new(keypair)
    .with_batch_size(100);  // Process 100 files per batch

// Register existing files
for file in files {
    fs.wrap_new_file(&file.path, &file.dek)?;
}

// Initiate rotation (generates new KEK)
let new_public_key = fs.rotate();

// Rotate in batches (for large filesystems)
while !fs.is_rotation_complete() {
    let result = fs.rotate_batch();
    println!("Rotated {} files", result.rotated_count);
}

// All files now use KEK v2
// Old KEK is automatically cleared

Key Benefits

⚡ Efficient

Only re-wraps DEKs (32 bytes each), never re-encrypts file content

📦 Incremental

Process files in batches to avoid overwhelming large systems

🔄 Backward Compatible

Old wrapped keys still work during transition period

✅ Verified

Track rotation progress and verify completion

Metadata Privacy

Protect not just your data, but also your file names, sizes, and timestamps.

Why Metadata Privacy Matters

Even with encrypted content, metadata can reveal sensitive information:

File names like "tax_returns_2024.pdf" or "medical_records.docx" reveal intent
File sizes can identify document types or media content
Timestamps show when you accessed or modified files
Content types indicate what kind of data you're storing

How It Works

┌─────────────────────────────────────────────────────────────────┐
│                   METADATA PRIVACY FLOW                          │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  CLIENT SIDE (Original Metadata):                                │
│  ┌────────────────────────────────────────────────────────────┐ │
│  │ Key:        /finances/investment_portfolio_2024.xlsx       │ │
│  │ Size:       156,789 bytes                                  │ │
│  │ Type:       application/vnd.openxmlformats...              │ │
│  │ Modified:   2024-12-07T15:30:00Z                           │ │
│  └────────────────────────────────────────────────────────────┘ │
│                           │                                      │
│                           ▼                                      │
│  ┌────────────────────────────────────────────────────────────┐ │
│  │              METADATA ENCRYPTION                           │ │
│  │  1. Create PrivateMetadata struct with original values    │ │
│  │  2. Encrypt with file's DEK using AES-256-GCM             │ │
│  │  3. Generate obfuscated storage key via BLAKE3            │ │
│  └────────────────────────────────────────────────────────────┘ │
│                           │                                      │
│                           ▼                                      │
│  SERVER SIDE (What storage nodes see):                           │
│  ┌────────────────────────────────────────────────────────────┐ │
│  │ Key:        e/a7c3f9b2e8d14a6f (obfuscated hash)          │ │
│  │ Size:       156,821 bytes (ciphertext size)               │ │
│  │ Type:       application/octet-stream (generic)            │ │
│  │ Metadata:   [encrypted blob]                              │ │
│  └────────────────────────────────────────────────────────────┘ │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

Key Obfuscation Modes

🌟 FlatNamespace (DEFAULT)

Complete structure hiding. Server sees only random CID-like hashes. Inspired by WNFS and Peergos.

/photos/beach.jpg → QmX7a8f3e2d1c9b4a5 No prefixes, no structure hints. Directory tree stored in encrypted PrivateForest index.

DeterministicHash

Same file path → Same storage key. Allows retrieval without local index.

/photos/beach.jpg → e/a7c3f9b2e8d14a6f

RandomUuid

Each upload gets a random key. Maximum privacy but requires local mapping.

/photos/beach.jpg → e/random-uuid-here

PreserveStructure

Keep directory paths, hash only filenames. Allows folder browsing.

/photos/beach.jpg → /photos/e_a7c3f9b2

Code Example

use fula_client::{EncryptedClient, EncryptionConfig, KeyObfuscation};

// DEFAULT: FlatNamespace for complete structure hiding
let encryption = EncryptionConfig::new();  // FlatNamespace by default!
let client = EncryptedClient::new(config, encryption)?;

// Upload - server sees: QmX7a8f3e2d1c9b4a5e6f7d8...
client.put_object_flat(bucket, "/secret/file.txt", data, None).await?;

// List files from encrypted PrivateForest index
let files = client.list_files_from_forest(bucket).await?;

// Server sees NOTHING about your folder structure!

// ─────────────────────────────────────────────────────────
// Alternative modes (for specific use cases):
// ─────────────────────────────────────────────────────────

// DeterministicHash - same path = same key, no local index needed
let encryption = EncryptionConfig::new()
    .with_obfuscation_mode(KeyObfuscation::DeterministicHash);

// PreserveStructure - keeps folder paths visible
let encryption = EncryptionConfig::new()
    .with_obfuscation_mode(KeyObfuscation::PreserveStructure);

// Disable metadata privacy entirely (not recommended)
let encryption = EncryptionConfig::new_without_privacy();

// Get full metadata including original filename
let info = client.get_object_with_private_metadata(bucket, storage_key).await?;
println!("Original name: {}", info.original_key);
println!("Original size: {}", info.original_size);

Security Guarantees

What the current implementation provides and its limitations.

✅ Provided

Confidentiality: Data encrypted with AES-256-GCM; only key holder can decrypt
Integrity: AEAD tags detect any tampering with ciphertext
Authenticity: Only holder of secret key can produce valid decryption
Forward Secrecy: Ephemeral keys in HPKE protect past data
Key Isolation: Each file has unique DEK; compromise affects only that file
Semantic Security: Same plaintext encrypts to different ciphertext each time
Ciphertext Indistinguishability: Encrypted data appears random
Metadata Privacy: File names, sizes, timestamps encrypted (optional, enabled by default)

❌ Not Provided

Sender Authentication: Recipients can't verify who encrypted the data
Deniability: Encryption proves you had the key
Traffic Analysis Resistance: Access patterns may be observable
Post-Quantum Security: X25519 vulnerable to quantum computers

Threat Model

What attacks Fula protects against and what it doesn't.

🛡️ Protected Against

Malicious Storage Nodes

Nodes only see encrypted data. They cannot read your files or forge valid data.

Network Eavesdroppers

All data in transit is encrypted. Even if intercepted, it's unreadable.

Data Tampering

AEAD tags and content addressing detect any modifications.

Gateway Compromise

Gateway never sees plaintext or keys. Compromise only affects availability, not confidentiality.

Replay Attacks

Unique nonces prevent replaying old ciphertexts.

⚠️ Not Protected Against

Compromised Client Device

If your device is compromised, attacker can extract keys.

Rubber Hose Cryptanalysis

Coercion/legal compulsion to reveal keys.

Side-Channel Attacks

Timing, power analysis on the local device.

Quantum Computers

X25519 can be broken by sufficiently powerful quantum computers.

Multi-Device Key Management

Securely manage encryption keys across multiple devices.

Key Management Patterns

Fula supports multiple patterns for managing keys across devices:

Pattern A: Shared Identity

All devices share the same master key. Simple but all devices are equally trusted.

// All devices use same backed-up secret
let master_secret = SecretKey::from_bytes(backed_up_secret)?;
let keypair = KekKeyPair::from_secret(master_secret);
let key_manager = KeyManager::new(&keypair);
// Files encrypted on one device readable on all

+ Simple setup + Seamless sync - No device revocation

Recommended

Pattern B: Per-Device Keys

Each device has its own KEK. Access granted via ShareToken.

// Device A (primary)
let device_a = KekKeyPair::generate();

// Device B (secondary) 
let device_b = KekKeyPair::generate();

// Grant Device B access to specific folders
let share = ShareBuilder::new(
    &device_a,
    device_b.public_key(),
    &folder_dek
)
    .path_scope("/shared/")
    .build()?;

+ Device revocation + Granular access - More complex setup

Handling Device Loss

When a device is lost or stolen:

Immediate: Rotate KEK on remaining devices
Re-wrap: Use FileSystemRotation to re-wrap all DEKs
Revoke: Remove device from any shared access
Audit: Review what data the device had access to

// On remaining device - rotate immediately
let mut rotation = FileSystemRotation::new(current_keypair);
let new_public_key = rotation.rotate();

// Re-wrap all DEKs with new KEK
while !rotation.is_rotation_complete() {
    rotation.rotate_batch();
}
// Lost device's wrapped keys are now useless

Key Backup Strategy

📝 Paper Backup

24-word mnemonic phrase stored offline in multiple secure locations

🔐 Hardware Security

YubiKey, Ledger, or other HSM for master key storage

☁️ Encrypted Cloud

Password-protected backup on different provider than data

Recovery Scenarios

Scenario	Recovery Method	Data Loss
Lost device (backup exists)	Restore from backup	None
Lost device (no backup)	Cannot recover	All data
Compromised device (detected early)	Rotate + restore	None
Compromised device (delayed detection)	Rotate + audit	Potentially exposed

📄 Full Documentation: See THREAT_MODEL.md for comprehensive multi-device patterns and threat analysis.

Security Best Practices

Recommendations for securely using Fula encryption.

🔑

Key Management

Generate keys on a secure, trusted device
Back up your secret key in multiple secure locations
Never share or transmit your secret key
Rotate keys periodically or after potential compromise

💻

Client Security

Keep your device and OS updated
Use full-disk encryption
Use a hardware security module if available
Clear keys from memory after use

🔒

Data Handling

Always enable encryption for sensitive data
Verify file integrity after download
Don't store sensitive metadata in unencrypted fields
Use unique DEKs per file (default behavior)

🔄

Operational Security

Monitor for unauthorized access attempts
Have an incident response plan for key compromise
Test key recovery procedures periodically
Audit encryption settings regularly

🔒 Security & Encryption

Security Overview

Client-Side Encryption

User-Held Keys

Verified Integrity

Forward Secrecy

Cryptographic Primitives Stack

Trust Model

Security Assumptions

API Authentication

Authentication Methods

🔑 Bearer Token (Simple)

📦 AWS Signature V4 (S3 Compatible)

AWS Sig V4 with JWT

Security Properties

Encryption Flow

📤 Upload (Encryption) Flow

📥 Download (Decryption) Flow

Key Architecture (KEK/DEK)

Benefits of KEK/DEK Architecture

HPKE Implementation

HPKE Configuration

HPKE Encryption Process

Security Properties

Symmetric Encryption (AEAD)

Supported Ciphers

AES-256-GCM

ChaCha20-Poly1305

Ciphertext Structure

Nonce Generation

Fula's Strategy: Random Nonces

Data Integrity Verification

Multi-Layer Integrity

AEAD Authentication Tag

Content Addressing (CID)

Bao Streaming Verification

BLAKE3 Hashing

Bao Verified Streaming

Key Management

Key Generation

Key Rotation

Key Backup & Recovery

Recommended Backup Strategies

Memory Security

Secure File & Folder Sharing

How Sharing Works

Sharing Features

Code Example

Complete Sharing Example: Alice Shares Photos with Bob

Security Properties

Secret Links (Peergos-Inspired)

Security Benefits

Snapshot vs Temporal Share Modes (WNFS-Inspired)

🔄 Temporal Mode (Default)

📸 Snapshot Mode

When to Use Each Mode

Async/Offline Inbox Sharing (WNFS-Inspired)

How It Works

Key Features

Subtree Keys (Peergos Cryptree-Inspired)

What are Subtree Keys?

Key Benefits

When to Use Subtree Keys

Full Filesystem Key Rotation

Why Rotate Keys?

Rotation Process

Code Example

Key Benefits

Metadata Privacy

Why Metadata Privacy Matters

How It Works

Key Obfuscation Modes

🌟 FlatNamespace (DEFAULT)

DeterministicHash

RandomUuid

PreserveStructure

Code Example

Security Guarantees

✅ Provided

❌ Not Provided