Local Data Encryption

Secure local storage using hardware-derived AES keys and authenticated encryption.

Overview

GetTrusted uses AES-256-GCM encryption with hardware-generated keys for all local databases. This ensures that even if a device is compromised, sensitive user data remains unreadable without the hardware-protected key.

Process Flow

flowchart TD
  A[First Run] --> B[Generate 32-byte AES Key<br>• Hardware RNG]
  B --> C[Store in Secure Keychain / Keystore]
  C --> D[Encrypt Data<br>• AES-256-GCM + Nonce 12 bytes]
  D --> E[Store Encrypted Blob<br>• nonce + ciphertext + tag]
  E --> F[Decrypt as Needed<br>• Reverse process using stored key]

Cryptographic Summary

Component

Algorithm

Key Size

Storage Location

Purpose

RNG

Hardware RNG

256 bit

N/A

Entropy source

Encryption

AES-GCM

256 bit

Keychain / Keystore

Data confidentiality + integrity

Nonce

Random 12 bytes

96 bit

Stored with ciphertext

Prevent reuse

Tag

AES-GCM Auth Tag

128 bit

Stored with ciphertext

Integrity verification

Security Guarantees

Encryption keys are generated and stored in hardware; they never leave the secure element.
Every record is encrypted with a unique nonce, ensuring semantic security.
Authenticated encryption (GCM) ensures tampering detection.
Decryption requires both the stored key and correct device context.

Strategic Implications

This design makes local compromise worthless — stolen databases are cryptographically inert. It demonstrates GetTrusted’s commitment to privacy-by-default, not as an afterthought.

PreviousHardware Key Operations NextIdentity Creation

Last updated 1 month ago

Good evening

Overview

Process Flow

Cryptographic Summary