CoffreZero
A zero-knowledge encrypted document vault where the server mathematically cannot read your data — built with client-side XChaCha20-Poly1305, Argon2id key derivation, and SDK-first architecture.
Encryption model
Zero-knowledge
Server stores only ciphertext — mathematically impossible to read plaintext without user key.
Key derivation
Argon2id
OWASP-recommended parameters: m=65536, t=3, p=4 for brute-force resistance.
Infrastructure
7 containers
PostgreSQL, Redis, MinIO, FastAPI, ARQ worker, Next.js, Nginx — fully containerized.
SDK coverage
2 SDKs
TypeScript and Python SDKs with auth, documents, sharing, burn secrets, and developer API.
The Problem
What this project had to solve
Most document storage products encrypt data at rest on the server — meaning the provider can read everything. CoffreZero eliminates that trust assumption entirely with client-side zero-knowledge encryption.
CoffreZero was designed around one non-negotiable principle: the server must never have the ability to decrypt stored documents. All encryption happens client-side using libsodium's XChaCha20-Poly1305 AEAD cipher, with master keys derived from user passwords via Argon2id (OWASP parameters).
The backend is a FastAPI async service with PostgreSQL, Redis, MinIO (S3-compatible storage), and ARQ background workers. The frontend is built on Next.js 14 with Zustand state management, Three.js 3D visualization, and Framer Motion. Two SDKs (TypeScript and Python) provide programmatic access with full HMAC-SHA256 webhook support.
What sets CoffreZero apart is the depth of the security model: per-document random DEKs wrapped with NaCl SecretBox, sealed-box sharing for recipients, HMAC-SHA256 chained audit logs for tamper detection, burn-after-reading secrets, GDPR Article 17 erasure protocol, and forensic watermarking for leak detection.
What changed
Users get a document vault where sharing, auditing, and collaboration work seamlessly — but the provider is cryptographically locked out. Data sovereignty becomes a provable property, not a marketing claim.
Why it was hard
The challenge was making zero-knowledge encryption feel effortless in the UI while maintaining rigorous crypto guarantees: per-document DEKs, sealed-box re-encryption for sharing, and HMAC-chained audit trails that survive even if the database is compromised.
Constraints
- All cryptographic operations must happen in the browser — the server never sees plaintext or master keys.
- Document sharing requires re-encrypting DEKs for recipients without exposing plaintext to any intermediary.
- The audit log must be cryptographically tamper-proof with HMAC-SHA256 chain integrity.
My role
- Designed the full cryptographic architecture: key hierarchy, DEK wrapping, sealed-box sharing.
- Built the FastAPI backend with async PostgreSQL, Redis caching, MinIO object storage, and ARQ workers.
- Implemented client-side encryption layer using libsodium WASM (XChaCha20-Poly1305, Argon2id, NaCl boxes).
- Created TypeScript and Python SDKs with webhook delivery and HMAC signature verification.
Proof
What the product actually looks like
Real screens from the product — each one supports a specific argument about clarity, control, or observability.
Brand SurfaceClick to view full sizeLanding Page
A Three.js-powered landing page that communicates zero-knowledge encryption and SDK-first architecture.
3D visualization reinforces the security narrative while the product messaging stays concrete.
Core ProductClick to view full sizeDocument Vault
The encrypted vault where documents are stored, organized, and managed with full client-side decryption.
Documents are decrypted in the browser only when the user explicitly requests access.
CollaborationClick to view full sizeSecure Sharing
Time-limited, purpose-specific document sharing with sealed-box re-encryption for recipients.
The DEK is re-encrypted for the recipient using their public key — the server never sees the plaintext key.
EphemeralClick to view full sizeBurn Secrets
One-time secrets with optional passphrase protection and automatic expiry.
XChaCha20-Poly1305 encryption with configurable access limits and time-based destruction.
IntegrityClick to view full sizeAudit Trail
HMAC-SHA256 chained audit log that detects tampering through cryptographic chain verification.
Each entry includes previous_hash, action, actor_id, IP hash, and timestamp in an immutable chain.
Decisions
Tradeoffs that shaped the product
The strongest work is visible in the choices made under pressure, not just in the final interface.
Client-side encryption over server-side at-rest encryption
Challenge
Server-side encryption still allows the provider to read data. Zero-knowledge requires a fundamentally different architecture.
Decision
All encryption/decryption happens in the browser using libsodium WASM. Master keys are derived locally via Argon2id and never transmitted.
Tradeoff
Server-side search and indexing become impossible, but the security guarantee is mathematically provable.
XChaCha20-Poly1305 over AES-256-GCM
Challenge
AES-GCM has a nonce reuse catastrophe risk with its 96-bit nonce. High document volumes increase collision probability.
Decision
XChaCha20-Poly1305 with 192-bit nonces eliminates nonce collision risk even at massive scale.
Tradeoff
Slightly less hardware acceleration than AES-GCM, but the safety margin is worth it for a document vault.
SDK-first API design over UI-only product
Challenge
Enterprise customers need programmatic access for automation, compliance workflows, and integration.
Decision
TypeScript and Python SDKs were built alongside the product with full API parity, webhook delivery, and HMAC signature verification.
Tradeoff
Doubles the surface area to maintain, but unlocks developer adoption and integration scenarios.
Architecture
How data flows through the system
Authenticate
User logs in; password is verified server-side with Argon2id. Master key is derived client-side from password + KDF salt.
→ The master key exists only in browser memory — never transmitted, never stored.
Encrypt & Upload
A random 32-byte DEK is generated per document. File is encrypted with XChaCha20-Poly1305. DEK is wrapped with NaCl SecretBox using the master key.
→ Server receives only ciphertext and a wrapped DEK it cannot unwrap.
Store
Encrypted file goes to MinIO (S3-compatible). Wrapped DEK and metadata go to PostgreSQL. Audit entry is HMAC-chained.
→ Data at rest is ciphertext across all storage layers.
Share
Owner decrypts DEK client-side, re-encrypts it for the recipient using their public key via NaCl sealed box.
→ Recipient can decrypt without the server ever seeing the plaintext DEK.
Audit & Comply
Every action is logged in an HMAC-SHA256 chain. GDPR Article 17 erasure requests trigger cryptographic deletion workflows.
→ Compliance is provable through cryptographic chain integrity, not just policy documents.
CoffreZero uses a zero-knowledge architecture where all encryption happens client-side via libsodium WASM. The FastAPI backend handles auth, metadata, and orchestration but never sees plaintext. PostgreSQL stores encrypted metadata and wrapped DEKs, MinIO stores ciphertext blobs, Redis manages sessions and job queues, and ARQ workers handle async tasks like expiry enforcement and webhook delivery. The frontend derives master keys locally using Argon2id and manages all crypto operations in browser memory.
Product surfaces
The interfaces that carry the experience
Zero-Knowledge Vault
Encrypted document storage where all crypto operations happen client-side. The server stores only ciphertext.
Secure Document Sharing
Time-limited, purpose-specific sharing with sealed-box re-encryption — no plaintext ever touches the server.
QR Code Quick Share
Generate QR codes for instant document sharing with embedded access credentials and time limits.
Burn-After-Reading Secrets
Ephemeral encrypted messages with optional passphrase protection, access limits, and automatic destruction.
Cryptographic Audit Trail
HMAC-SHA256 chained audit log where each entry references the previous hash — tampering breaks the chain.
Data Sovereignty & GDPR
Self-hostable deployment with GDPR Article 17 right-to-be-forgotten protocol and cryptographic deletion.
Developer API & SDKs
TypeScript and Python SDKs with full API parity, HMAC-signed webhooks, and comprehensive error handling.
CoffreZero Identity
Decentralized identity (DID) generation with Ed25519 signing keypairs and multi-level verification.
Tech Stack
Built with
FastAPI
Async Python API framework
PostgreSQL
Primary relational database
Redis
Cache, session store, job queue
Framework
UI
Data
Infra
Languages
TypeScriptPythonSQLCSS/TailwindWhat this project proves