Technology

End to End Encryption for Your Documents

The encryption foundation behind every upload, document request, and share in 1Bridge Vault.

01

Encryption happens in your browser

Everything sensitive happens in your browser. Argon2id derives a key-encryption key (KEK) from your password, and your vault's public and private key pair is generated locally. AES-256-GCM encrypts each document, while the KEK encrypts your private key. Only your public key and the encrypted documents reach 1Bridge Vault; your password, KEK, and plaintext never do.

02

Public key locks, private key opens

Each vault has a key pair. The public key locks documents. The private key opens them, and it is guarded by your password. Anyone can lock a file to your public key. Only your private key can open what arrives.

03

How each document is stored

Every document gets its own random AES-256-GCM key. That key is locked to the vault public key before upload. 1Bridge Vault stores only ciphertext and locked keys. Your private key opens documents once the vault is unlocked.

04

Algorithms and guarantees

Without your password, no one can read your documents, including 1Bridge. The mechanisms below are what make that statement precise.

  • Argon2id derives a KEK from your password in the browser; the password is never transmitted.
  • The KEK encrypts the vault private key with AES-256-GCM.
  • HKDF-SHA256 isolates key derivation per vault, so multiple workspaces do not share keys.
  • Each document gets a random AES-256-GCM key, locked to the vault public key.
  • 1Bridge Vault stores ciphertext and locked keys only.

See how this foundation powers each capability

Watermarking, Bitcoin attestation, and delegation build on this encryption model.

Read the capability pillars

Confidentiality by design

Join the waitlist for encrypted sharing, contract signing, and Bitcoin-attested verification in one vault.