E
EgiStr HUB|v1.0
DashboardGitHub

Data Encryption

Learn how EDS protects your sensitive storage credentials using industry-standard encryption.

Token Protection

Each storage node in EDS is powered by Google OAuth's access_token and refresh_token. These tokens are as sensitive as passwords, so EDS encrypts them before saving to the database.

Algorithm

EDS uses **AES-256-GCM** (Advanced Encryption Standard in Galois/Counter Mode).

  • AES-256: Provides military-grade encryption strength.
  • GCM Mode: Ensures both confidentiality and authenticity (detects tampering).

Encryption Process

  1. EDS generates a random **Initialization Vector (IV)** for every encryption.
  2. The token is encrypted using the ENCRYPTION_KEY and the IV.
  3. The IV, Authentication Tag, and Encrypted Content are stored together in the database.

Encryption Key Management

The ENCRYPTION_KEY is defined via environment variables. It never touches the database.

Security Note

For maximum security, ensure your ENCRYPTION_KEY is not the same as your SESSION_SECRET or any other application keys.

Google Drive Scope

In addition to database encryption, EDS follows the principle of least privilege by using the drive.file scope.

  • EDS can only see and manage files that it has created.
  • It cannot see your personal photos, emails, or other documents in your Google Drive.
  • Even if a node is compromised, the damage is isolated to files within the EDS ecosystem.

Next Steps

Back

Introduction ←