Client Document Upload

When uploading a document, the users client will store a file key to the encrypted file index, chunk the file (explained below) and encrypt the chunks with the file key.

Encrypted search

  1. The underlying encrypted search implementation parses the document structure (depending on file format, e.g. JSON, XML, etc.)

  2. and creates a list of keywords that were found in the file. This is the search index for this file.

  3. It gets encrypted with the encrypted search key. This is the encrypted index.


  1. The document is split into chunks. Chunks may not have a size exceeding the maximum of 1 MiB each. This is restricted per the Confidential Storage specification document.

  2. Each chunk is individually encrypted with authenticated encryption using a file key.

  3. An index (Resource Structure) is created, which is used to be able to recreate the file from the individual chunks later on. It gets encrypted, then being the encrypted chunk index (Encrypted Resource Structure).

Chunk transmission to the EDV

  1. The encrypted chunks are sent to the EDV using individual request authorizations using ZCaps.

  2. The encrypted chunk index and encrypted search index get stored in the EDV (each also being authorized using ZCap capability invocations).

Last updated