🚀 Feature DropFebruary 21, 20265 min read

Secure Vault: Zero-Knowledge Document Storage with E2EE

End-to-end encrypted document uploads, Argon2id passphrase hardening, malware scanning, and PGP-secured email notifications.

By TradeStance Engineering

securityE2EEPGPvault

The Problem

Trade documents — invoices, bills of lading, KYC certificates — contain highly sensitive commercial information. Storing them in plain text on cloud storage creates risk. Emailing them as attachments means they persist in mail servers forever.

The Solution

The TradeStance Secure Vault is a zero-knowledge document storage system. Files are encrypted in your browser using OpenPGP (Curve25519 ECC) before they ever leave your device. Your private key is protected with Argon2id — a memory-hard KDF that makes brute-force attacks computationally infeasible, even with GPU/ASIC hardware.

Security pipeline:

Client-side PGP encryption — the server never sees plaintext documents.
Argon2id passphrase hardening (64 MiB, 3 iterations) before OpenPGP S2K.
AttachmentAV malware scanning — every upload scanned before R2 storage.
15-minute HMAC-signed presigned URLs — no permanent download links.
PGP-encrypted email body — Resend only sees ciphertext.
R2 CORS locked to tradestance.com and dashboard origins only.

The Benefit

Even if our database or storage is compromised, your documents remain encrypted. Email notifications contain time-limited links instead of attachments. This is the gold standard for trade document security.

Related Help GuideSecure Vault Setup Guide

Open Guide

Was this update useful?

#security#E2EE#PGP#vault

Multi-Signal Spam Detection EnginePrevious Attachment Safety: Magic Bytes Validation & Zero-Knowledge ViewerNext