How We Protect Your Messages

Standard algorithms, documented here and explained on GitHub.

Two Layers of Encryption

Sanctia uses two independent encryption models. Every message is encrypted at rest by default. For those who want maximum protection, end-to-end encryption ensures even we can't read your messages.

Server-Side Encryption

Always on by default

Every message is encrypted with its own unique key using envelope encryption.

  • A fresh 256-bit Data Encryption Key (DEK) is generated per message
  • Message content is encrypted with the DEK using AES-256-GCM
  • The DEK itself is encrypted by a Key Encryption Key (KEK) managed by AWS KMS
  • Only the encrypted DEK is stored alongside the message

If our database is breached, the attacker gets ciphertext and encrypted keys. Without access to AWS KMS, the data is useless.

End-to-End Encryption

Opt-in

Your passphrase never leaves your device. We literally cannot read your messages.

  • Keys are derived on your device using Argon2id - memory-hard, resistant to GPU and ASIC attacks
  • Messages and files are encrypted client-side with AES-256-GCM before reaching our servers
  • Each message gets its own salt and IV - compromising one reveals nothing about another
  • Domain separation prevents key reuse across verifiers, messages, and files

The same Argon2id key derivation runs identically on web, iOS, and Android, and its output is checked against reference known-answer tests in our CI on every build.

The server stores only ciphertext. Decryption happens entirely in the recipient's browser or app.

What We Can and Can't See

Server-Side Encryption End-to-End Encryption
Message content Encrypted at rest. Decrypted only for delivery to recipients. We cannot read it. Ever
Attachments Stored in S3 Encrypted before upload
Your passphrase N/A Never sent to our servers
Drafts (text + attachments) Stored only on your device. Never reach our servers until you publish.
Metadata Visible (recipient names, delivery timing)

The Algorithms

AES-256-GCM

Authenticated encryption. Provides both confidentiality and integrity - if a single bit is tampered with, decryption fails.

Argon2id

Memory-hard key derivation. Default parameters: 64 MB memory, 3 iterations, 4-way parallelism. Makes brute-forcing a passphrase computationally expensive even on specialized hardware.

AWS KMS

Hardware-backed key management for server-side encryption. The master key never leaves the KMS boundary.

Standard Algorithms, Verified in CI

We don't rely on security through obscurity. Every algorithm we use is industry standard and openly documented here: Argon2id for key derivation, AES-256-GCM for content, and AWS KMS for server-side envelope encryption. There are no custom or secret primitives.

What matters is that the implementation matches the spec. So we verify it continuously. On every build, our CI runs the crypto test suite and a known-answer test that checks our Argon2id output against the reference implementation. If our key derivation ever drifted from the standard, the build would fail.

Our encryption code is open source. You can read exactly how your messages are protected on GitHub.

View on GitHub →

What's Next

  • Third-party security audit - on our roadmap once we launch
  • Key rotation - automated re-encryption with new keys
  • S3 server-side encryption - adding AWS SSE as an additional layer for attachments

Questions?

If you're a security researcher and want to discuss our implementation, reach out at support@sanctia.app.