sovsealsovseal
WelcomePlatformSelf-HostedCookbooksIntegrationsSDK ReferenceAPI ReferenceComponentsChangelog
Verified by the sovseal team

Encryption Overview

Learn how sovseal achieves zero-knowledge state security through client-side encryption primitives.

sovseal is designed with a strict zero-knowledge threat model. Plaintext memories are never sent over the network, never written to remote database tables, and never exposed to the hosting providers or replication servers.

The Zero-Knowledge Boundary

All data encryption occurs locally on your machine before any cloud replication process is initiated:

[Plaintext Memory]

       ▼ (Client CPU)
[AES-256-GCM Encrypt] using local 256-bit key

       ▼ (Client Network)
[Upload Ciphertext] ────► [Supabase Edge Server] (Only sees ciphertext + SHA-256 hashes)

1. Primitives Used

  • Symmetric Encryption: AES-256-GCM (Galois/Counter Mode) with a 256-bit key.
  • Randomization: A unique, cryptographically secure 96-bit Random Initialization Vector (IV) is generated for every snapshot write.
  • Auth Tag: A 128-bit authentication tag is appended to the ciphertext to verify message integrity and prevent tampering.

2. Two encryption layers (0.3.5)

sovseal encrypts in two distinct places, with two HKDF-derived subkeys of the OS-keychain master:

LayerKeyWhat it protectsEnvelope
At rest (local)k_restMemory text written to the on-device LanceDB storesgcm1: + base64(IV‖ciphertext‖tag); AAD binds each row to its id + schema_version
In transit / cloudk_syncCiphertext replicated to the edge server96-bit IV per snapshot; 128-bit GCM auth tag

So a stolen disk or cold backup yields ciphertext, not memories. Embedding vectors remain in the clear locally (they are derived from plaintext but are not reversible to it). See Key Management & Custody.

3. Server Blindness Proof

Because the replication server only receives the base64-encoded ciphertext, the client_payload_hash, and the SHA-256-derived agent_id, the server cannot:

  • Read your stored agent memories, code directories, or task descriptions.
  • Modify memories without causing an immediate decryption failure (as the AES-GCM authentication tag would mismatch).
  • Substitute your memories with a dummy payload without failing the client-side Verified Semantic Recall (VSR) SHA-256 validation check.

Postgres + pgvector (Remote Sync)

Guide to self-hosting the edge replication layer using Postgres and pgvector.

AES-256-GCM Encryption

Specifications of the authenticated symmetric encryption model protecting state snapshots.

On this page

The Zero-Knowledge Boundary1. Primitives Used2. Two encryption layers (0.3.5)3. Server Blindness Proof