All secrets are encrypted client-side using the project key (PSK - Project Secret Key) before transmission. The encryption process uses authenticated encryption with a unique nonce for each secret version, ensuring that identical secrets produce different ciphertexts.

The server stores only three pieces of data for each secret:

• encrypted_value - The encrypted secret value (binary)
• nonce - The unique nonce used for encryption (binary)
• key - The secret identifier/name (string)

The server cannot decrypt secrets because it never receives the project key in plaintext. Each device has its own wrapped copy of the project key, encrypted with that device's X25519 public key.

When a project key is initialized, it is encrypted (wrapped) using each authorized device's X25519 public key. The wrapped key is stored in the project_keys table as wrapped_project_key (binary).

Key wrapping ensures that:

• Each device can only unwrap its own copy of the project key using its private X25519 key
• The server never sees the plaintext project key
• When a device is removed, only that device's wrapped key needs to be deleted
• Project keys can be versioned to support rotation without re-encrypting all secrets

The project key version is tracked separately, allowing for key rotation while maintaining access to secrets encrypted with previous key versions during the transition period.

Each device uses two key pairs:

• Ed25519 - Used for signing HTTP requests to authenticate the device. The public key is stored on the server for signature verification.
• X25519 - Used for encrypting/wrapping project keys. The public key is stored on the server to enable key wrapping for that device.

Private keys are generated locally and stored in the OS keychain (Keychain on macOS, Credential Manager on Windows, libsecret on Linux). The server only stores public keys, which cannot be used to decrypt data or forge signatures.

When a device makes a request, it signs the request body, headers, and timestamp with its Ed25519 private key. The server verifies the signature using the stored public key, ensuring the request came from an authorized device.

Each secret has a version field that increments with each update. The database enforces uniqueness on the combination of project_id, key, and version, ensuring all versions are preserved.

When retrieving secrets, the system returns the latest version (highest version number) for each secret key. Historical versions remain accessible for audit purposes and can be queried separately.

Each secret version records:

• The device that created it (created_by_device_id)
• Timestamp of creation
• The encrypted value and nonce for that specific version

Secrets can be soft-deleted by setting a deleted_at timestamp, which removes them from active queries while preserving the encrypted data for recovery if needed.

Access control operates at three layers:

1. Project Membership - Users must be members of a project with appropriate roles (owner, admin, or member). Membership is managed through project invitations and role assignments.
2. Device Authorization - Each device must be explicitly approved for access. Device approval workflows ensure that only trusted devices can access project secrets.
3. Project Key Access - Even with membership and device approval, a device must have a wrapped copy of the project key to decrypt secrets. Without the wrapped key, the device cannot unwrap the project key and therefore cannot decrypt any secrets.

This multi-layer approach ensures that compromising one layer (e.g., a user account) does not automatically grant access to secrets. The device must still be authorized and have the wrapped project key.