A production-grade AES-GCM Envelope Encryption Data Plane gated by a Shamir's Secret Sharing (SSS) Key Management System (KMS).
CryptGuard solves the "single point of failure" problem in standard encryption systems by distributing trust. The Master Key that protects the entire data plane never exists on disk. It is mathematically split across multiple administrators and is only reconstructed in volatile memory when the required threshold of shares is provided.
- Shamir-Gated KMS: The 256-bit Master Key is split into
Nshares requiringKthreshold to unlock. - Envelope Encryption Architecture:
Master Key-> encrypts ->Key Encryption Keys (KEK)KEK-> encrypts ->Data Encryption Keys (DEK)DEK-> encrypts ->Data
- Authenticated Encryption (AEAD): All layers use AES-256-GCM. Any bit-flipping or tampering immediately fails decryption via GCM authentication tags.
- Cryptographic Audit Log: Every action (Initialize, Unlock, Lock, Encrypt, Decrypt) is deterministically logged.
- Zero-Knowledge Storage: Encrypted files are stored on disk as raw ciphertext blobs. The database only holds the metadata (IVs, DEKs, KEK references).
[ Admin Shares (x/y) ] --> ( SSS Reconstruction ) --> [ Volatile Master Key ]
|
v
[ User Payload ] --> ( AES-GCM DEK ) --> [ Storage ] [ KEKs DB ]
| |
+----------( Encrypted By )---------+
- Docker & Docker Compose
- Clone the repository and enter the directory.
- Spin up the platform:
docker-compose up -d
- Access the KMS Management Console:
http://localhost:5000
- Memory Safety: The Master Key is destroyed from memory immediately upon pressing "Lock KMS".
- Mathematical Trust: SSS operations are performed over a strict 256-bit prime field (
GF(2^256 - 189)). - Nonce Misuse Resistance: Every encryption operation (DEK, KEK, or File) generates a fresh 96-bit cryptographically secure random nonce (
os.urandom(12)).