User signupCopied!

• User Key Pair is generated on the client

• Password Key is derived from the user provided password

• User Private Key is encrypted with Password Key and securely stored on Tusky server

User loginCopied!

• Once the user authenticated, the encrypted User Private Key is retrieved from Tusky server

• User provides their password and derives Password Key

• User decrypts their User Private Key locally using Password Key

Private vault creationCopied!

• The user generates Vault Key Pair

• Vault Public Key - used to encrypt DEKs

  • Vault Private Key - used to decrypt DEKs

• The user encrypts Vault Private Key with User Public Key

Sharing private vaultCopied!

• The Vault Private Key is encrypted with the invited member public key (their personal User Public Key)

• The encrypted Vault Private Key is shared with the invited member

• The member can decrypt Vault Private Key by using their personal User Private Key

Revoking access to the private vaultCopied!

• a new Vault Key Pair is generated - Vault Private Key & Vault Public Key

• the new Vault Private Key is encrypted for all active members

• all data exchanged in the vault is henceforth encrypted with the new Vault Public Key

Sharing and accessing the data within the private vaultCopied!

• To share a data, new fresh DEK is generated and used to encrypt the data

• The DEK is encrypted with the current Vault Public Key

• Any user with access to the corresponding Vault Private Key can decrypt the DEK and use the DEK to decrypt the actual data

Key rotationCopied!

While revoking a member from a vault, a new Vault Key Pair is generated and distributed to all valid vault members.

Previously shared keys of revoked member are deleted from Tusky server and are no longer served.

Vault owner has also a possibility to rotate Vault Key Pair on demand.