|
|
|
|
|
|
by cyberclimb
266 days ago
|
|
|
Hi I'm curious about the encryption system. I found this document https://docs.orbivon.com/getting-started/security#security but wanted to ask where the encryption keys are physically stored and where the decryption happens (server-side vs client side)? I assume the encryption keys are stored encrypted in your database, but what's the (high level) mechanism for decrypting them? Like is the users' password used at login to temporarily load the encryption key in memory? Thanks for any insights Also I like the idea of the encryption but I think the use of LLMs greatly reduces the privacy gained but that's a tradeoff |
|
|
Short answer: Server-side encryption.
Long answer: The main application-level encryption key is stored externally in Doppler. Each project’s encryption key is encrypted using this main key. The main key is loaded as an environment variable when the backend server runs. After a set period (X days), the main key is automatically rotated, and all project keys are re-encrypted with the new main key and updated in Doppler.
Project keys are assigned to specific user accounts, so only the assigned users can decrypt them. The application does not use end-to-end encryption because future planned features require server-side encryption and decryption rather than client-side.
Yes, using LLMs can reduce privacy. To address this, we only send the necessary metadata and selected content to the models. In Ask mode, content is only sent if the user explicitly selects it. Edit mode works the same way: only the specifically selected text or code is passed to the model.
Hope this helps :)