DocsUser GuideFile Encryption & Decryption

File Encryption & Decryption

How bervice protects your files end-to-end. Learn how encryption keys are created, how chunks are secured and verified, how sharing works, and what happens when you download or restore versions.

Local-First

Files are encrypted on your device before upload. Servers only see ciphertext and integrity tags.

Per-File Keys

Every file has a unique symmetric key; sharing re-wraps this key to recipients—your master key never leaves the device.

Integrity

Authenticated encryption (AEAD) detects any tampering; corrupted chunks are rejected and re-fetched.

Key Hierarchy (Files)

  • Master Password → Vault Key (derived on device via a KDF).
  • Vault Key → wraps File Keys (one per file).
  • Sharing: File Key is re-wrapped to each recipient’s public key.
  • No server-side decryption; keys are never transmitted in plaintext.
  • Revocation removes future access; already-downloaded plaintext remains under the recipient’s control.

Encryption (Upload)

  1. File is split into fixed-size chunks.
  2. Each chunk is encrypted with the File Key using AEAD.
  3. Ciphertext + auth tag are sent to storage; indexes store metadata only.
  4. Upload is resumable—verified chunks aren’t re-sent.

See Uploading Files.

Decryption (Download/View)

  1. Client fetches ciphertext chunks and the wrapped File Key.
  2. File Key is unwrapped locally using your vault/device keys.
  3. Each chunk is verified (auth tag) and decrypted on device.
  4. Reassembled plaintext is saved or previewed locally.

See Downloading Files.

Version History

  • Each replace/upload creates a new encrypted version.
  • Restore previous versions without losing the latest.
  • Add change notes for audits.

Integrity Checks

  • Run Integrity check to re-verify stored chunks.
  • Checksums are shown to validate downloaded files.
  • Mismatches trigger automatic re-fetch.

Offline Behavior

  • Cached plaintext previews remain accessible offline.
  • New downloads queue until connectivity returns.
  • Conflicts prompt you to keep newest or both.

Secure Sharing

  • Move files into a Team Space to grant access.
  • Permissions apply to the wrapped File Key (Viewer / Can edit).
  • Revoke by removing from space; recipients lose future decrypt capability.

See Security Notes.

Best Practices

  • Keep the app updated to receive crypto/security patches.
  • Use strong master password & enable biometric + auto-lock.
  • Store recovery key/seed offline; never share it.

Verify a File After Download

  1. Open the file’s details → click Show checksum.
  2. Compute a local hash with your OS tool.
  3. Values must match; otherwise run Integrity check and re-download.

For signed installers, also verify the publisher signature. See Verifying Downloads.

Troubleshooting

  • “Decryption failed”: Time skew or corrupted chunk—sync time and retry Integrity check.
  • “No permission”: Confirm you have access to the Team Space and the file wasn’t revoked.
  • Preview broken: Save locally and open with a native viewer.
  • Slow decrypt/download: Use a stable network; reduce concurrency in Settings → Performance.
  • Key mismatch after share: Ask the owner to re-share; ensure your device is fully synced.
  • More help: Encryption Errors

Managing Files

Preview, versions, sharing.

Uploading Files

Encrypted chunk uploads.

Downloading Files

Local decrypt & verification.

Previous

Downloading Files

Next

Organizing Vault Items