arkivQ · Sovereign Digital Ark Documents
Encryption runs in the browser. The engine boots sealed and needs three of five keys to wake. Every action signs itself into an audit chain you can verify offline.
Three signature claims
Three claims, each with one paragraph of plain-language proof — grounded in the actual architecture, not aspiration.
Encryption happens in the recipient's and owner's browser via a Rust-compiled WASM module. The server receives ciphertext on upload and only re-wraps keys for authorized recipients — held in memory only long enough to compute, then erased.
The engine starts sealed. Three of five Shamir shares — held by three different people — unseal it. A stolen running container is inert. A stolen database dump is inert.
A standalone binary walks the signed audit chain on a laptop with no network, no private keys, no trust in the running server.
What you get
Every card describes a behaviour the engine ships today — not a roadmap promise.
Encryption happens in the recipient's and owner's browser via a Rust-compiled WASM module. The server receives ciphertext on upload and only re-wraps keys for authorized recipients — held in memory only long enough to compute, then erased.
The engine starts sealed. Three of five Shamir shares — held by three different people — unseal it. A stolen running container is inert. A stolen database dump is inert.
Every action chains to the previous with a hybrid signature. An auditor can verify the chain on a laptop with no network, no private keys, no trust in the running server. The audit table is read-only at the database role level.
Hybrid encryption combines X25519 with ML-KEM-768 (NIST FIPS 203). Hybrid signatures combine Ed25519 with ML-DSA-65 (FIPS 204). One algorithm falling does not unlock your archive.
Time windows, IP ranges, maximum-use counts, and reusable hash-pinned templates. The use-count decrement, the policy evaluation, and the audit row commit atomically — no race, no double-spend.
The share link is only an identifier. Access requires a six-digit code, mailed separately to the bound recipient — hashed in storage, single-use, attempt-capped, rate-limited, ten-minute TTL.
Documents render in the browser, watermarked with recipient email and timestamp, inside the granted access window only. On Windows desktop, the viewer is excluded from screen captures by the OS. On macOS, active recording is detected and the watermark ramps.
A single TLS endpoint fronts everything. The database, blob store, document server, render pipeline, and mailer have no host port exposed. Even encrypted blobs proxy through an auth-gated server endpoint.
LDAPS bind authentication runs side-by-side with local accounts. New directory users are created on first login; users who leave the directory are soft-disabled — audit history and document ownership are never deleted.
Your super-admin uploads a logo, sets a name, picks an accent. The whole application — login, admin, viewer, emails, favicon, app icon — rebrands in place.
A document's journey
Upload
Owner's browser seals the file (WASM).
Policy
Access rules bind every release.
Release
Recipient's browser unwraps the key.
View
In-browser, watermarked, access-window bounded.
Audit
Every action signs into the chain.
The desktop companion
macOS and Windows clients, signed in with the same identity as the web.
SetWindowDisplayAffinity(WDA_EXCLUDEFROMCAPTURE).Built to be inspected
Cross-language conformance fixtures (Go · Rust · WASM) live in testdata/conformance/. The wire format is in docs/CRYPTO.md. The threat model — including what we do not defend against — is in docs/SECURITY.md. The audit chain is verifiable offline with cmd/audit-verify. Repository: github.com/rakasatria/drm.
Try arkivQ