Zero-Knowledge Architecture

How ArkSpace ensures mathematical certainty for your privacy.

1. The End-to-End Encryption Flow

Unlike traditional cloud storage providers that encrypt your data on their servers (allowing them to hold the keys), ArkSpace performs all cryptographic operations locally on your device before a single byte is transmitted over the network.

[Your Device] [ArkSpace Server] Raw File | (PBKDF2 Key Derivation) | [AES-256-GCM Encryption] ----(TLS 1.3)----> [Encrypted Blob] | (Cannot be decrypted (Keys NEVER leave device) without your local key)

2. Key Derivation & Authentication

Your Master Password is never sent to our servers. Instead, your client generates an authentication hash and an encryption key locally:

Authentication Hash: Derived using Argon2id. This is sent to the server merely to prove you own the account, without revealing the password itself.
Encryption Key: A 256-bit symmetric key used to encrypt your files via AES-256-GCM. This key is securely stored in your device's memory and is destroyed when the session ends.

3. Forward Secrecy & TLS 1.3

Even though your files are already encrypted locally, the transmission channel between your device and our edge nodes is further protected by TLS 1.3 with Perfect Forward Secrecy (PFS). This prevents man-in-the-middle attacks and ensures that even if our transport keys are compromised in the future, past communications cannot be decrypted.

4. Open Source Audits

Trust, but verify. The core cryptographic libraries used in our desktop and mobile clients are fully open-source and undergo regular audits by independent third-party security firms. We believe that security through obscurity is no security at all.