Architecture & Security
Nest is built on a Zero-Knowledge (ZK) security model. This means that the server is "blind" to your data. It facilitates storage and authentication without ever having the technical capability to decrypt your files.
The Zero-Knowledge Model
In traditional cloud storage, the server manages your keys. In Nest, you are the only one who holds the keys.
Client-Side Primacy
Encryption and decryption happen strictly in your browser.
Untrusted Backend
The server is treated as a compromised entity.
No Cleartext Metadata
Filenames and folder structures are always encrypted.
Key Hierarchy
Root Derivation (Argon2id)
When you log in, your password is processed locally using the Argon2id memory-hard hashing function.
AuthHash = Argon2id(Password, Salt, { iterations: 3, memory: 64MB })
RootKey = Argon2id(Password, Salt, { iterations: 3, memory: 64MB, keyLength: 32 })Cryptographic Suite
| Layer | Algorithm |
|---|---|
| Password Hashing | Argon2id |
| Key Wrapping | XChaCha20-Poly1305 |
| File Encryption | AES-256-GCM / Sodium SecretStream |
| Integrity | SHA-256 / Blake3 |