Back

Architecture & Security

Nest is built on a Zero-Knowledge (ZK) security model. This means that the server is "blind" to your data. It facilitates storage and authentication without ever having the technical capability to decrypt your files.

The Zero-Knowledge Model

In traditional cloud storage, the server manages your keys. In Nest, you are the only one who holds the keys.

Client-Side Primacy

Encryption and decryption happen strictly in your browser.

Untrusted Backend

The server is treated as a compromised entity.

The Metadata Blob Mechanism

A major challenge in Zero-Knowledge architectures is hiding file and folder names without breaking search and directory navigation. If the server cannot read filenames, how does it construct your filesystem?

Nest solves this via the Metadata Blob. Instead of storing filenames in relational database columns, the entire virtual file system is stored as a massive JSON object that is encrypted by the Master Key.

  1. When you log in, your browser downloads the encrypted blob and decrypts it locally.
  2. Your browser parses the JSON to render your folders and filenames in the UI.
  3. When you rename a file, the browser updates the local JSON, re-encrypts the entire blob, and pushes the new ciphertext back to the server.

Result: The server only sees a meaningless stream of bytes. It knows how many bytes you are storing, but it has no mathematical way of knowing if you are storing photos, documents, or what those files are named.

Architecture Flow

The architecture enforces a strict boundary between the trusted client and the untrusted server and storage layers.

Client (Browser)
   │
   ├─ [Trust Boundary]
   │    ├─ Argon2id KDF
   │    └─ XChaCha20-Poly1305 Encryption
   │
   ├─ 1. Login (Auth Hash) ────> API Server
   ├─ 2. Derive Key & Unlock Vault
   ├─ 3. Encrypt File
   └─ 4. Upload Encrypted Blob ────> API Server ────> Obsideo Storage Network

Obsideo Distributed Storage

Once your files are encrypted locally, Nest does not store the resulting ciphertexts on centralized servers like AWS S3. Instead, we utilize the Obsideo Storage Network for high-availability, redundant, distributed storage.

Important Integration Note

The Obsideo SDK is utilized purely as a dumb storage pipe. It receives files that are already encrypted by your browser's WebAssembly crypto engine. Obsideo stores only opaque encrypted chunks — it never sees your file contents or file names.

Secure File Sharing

How do you share an encrypted file if the server can't read the key? Nest uses URL Hash Fragments to facilitate peer-to-peer sharing.

  1. You select a file to share. Your browser generates a unique, temporary Share Key.
  2. The browser encrypts the specific File Key with this new Share Key and uploads this new "Share Pointer" to the server.
  3. The browser generates a link: nest.lazybird.io/share/ID#ShareKey
  4. When the recipient clicks the link, their browser fetches the Share Pointer.
  5. Crucially: The `#ShareKey` fragment is never sent to the server (by HTTP design). The recipient's browser uses it to decrypt the File Key, and then decrypts the file stream entirely locally.
Key Hierarchy

Root Derivation (Argon2id)

When you log in, your password is processed locally using the Argon2id memory-hard hashing function.

RootKey = Argon2id(Password, Salt, { iterations: 3, memory: 64MB, parallelism: 4 })
AuthHash = BLAKE2b("auth_" + RootKey)
WrappingKey = BLAKE2b("wrap_" + RootKey)

Open-Source Engine

The heart of Nest is @lazybird-inc/nest-crypto. It handles key derivation, file encryption, and master key wrapping using Argon2id and XChaCha20-Poly1305.

We load this exact engine in your browser directly from a public CDN using Subresource Integrity (SRI) hashes. This mathematically proves that the engine running in your browser matches the public, auditable source code exactly.

<!-- Loaded in Nest's index.html -->
<script 
  src="https://unpkg.com/@lazybird-inc/nest-crypto" 
  integrity="sha384-..."
></script>

Cryptographic Suite

LayerAlgorithm
Password HashingArgon2id (hash-wasm)
Key WrappingXChaCha20-Poly1305
File EncryptionXChaCha20-Poly1305 (SecretStream)
Hashing & DerivationBLAKE2b