# Local Data Encryption

## Overview

GetTrusted uses **AES-256-GCM encryption** with hardware-generated keys for all local databases.\
This ensures that even if a device is compromised, sensitive user data remains unreadable without the hardware-protected key.

## Process Flow

```mermaid
flowchart TD
  A[First Run] --> B[Generate 32-byte AES Key<br>• Hardware RNG]
  B --> C[Store in Secure Keychain / Keystore]
  C --> D[Encrypt Data<br>• AES-256-GCM + Nonce 12 bytes]
  D --> E[Store Encrypted Blob<br>• nonce + ciphertext + tag]
  E --> F[Decrypt as Needed<br>• Reverse process using stored key]
```

## Cryptographic Summary

| Component  | Algorithm        | Key Size | Storage Location       | Purpose                          |
| ---------- | ---------------- | -------- | ---------------------- | -------------------------------- |
| RNG        | Hardware RNG     | 256 bit  | N/A                    | Entropy source                   |
| Encryption | AES-GCM          | 256 bit  | Keychain / Keystore    | Data confidentiality + integrity |
| Nonce      | Random 12 bytes  | 96 bit   | Stored with ciphertext | Prevent reuse                    |
| Tag        | AES-GCM Auth Tag | 128 bit  | Stored with ciphertext | Integrity verification           |

{% hint style="info" %}
Security Guarantees

* Encryption keys are generated and stored **in hardware**; they never leave the secure element.
* Every record is encrypted with a **unique nonce**, ensuring semantic security.
* **Authenticated encryption (GCM)** ensures tampering detection.
* Decryption requires both the stored key and correct device context.
  {% endhint %}

{% hint style="success" %}
Strategic Implications

This design makes local compromise worthless — stolen databases are cryptographically inert.\
It demonstrates GetTrusted’s commitment to privacy-by-default, not as an afterthought.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.gettrusted.app/architectural-foundations/local-data-encryption.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.