Security Architecture Whitepaper

1. Design goals & threat model

FileShot is designed primarily to protect file confidentiality: the contents of a file should be inaccessible to anyone who does not hold the decryption key, including the file-sharing infrastructure itself.

Primary goals

• Zero-knowledge storage: the server stores only ciphertext. No decryption key ever reaches the server.
• Client-side encryption: all cryptographic operations (key generation, encryption, decryption) happen inside the user's browser using the Web Crypto API.
• Standards-based primitives: use only well-reviewed, hardware-accelerated cryptographic algorithms available in window.crypto.subtle.
• Key isolation via URL fragment: keys encoded in the #fragment portion of URLs are not sent in HTTP requests and therefore do not appear in server logs.
• Forward secrecy per file: each file uses a unique, randomly generated symmetric key (link-key mode) or a freshly derived key with a unique random salt (password mode).

Threat model — protected against

• Server-side database compromise (attacker obtains stored blobs — gets only ciphertext)
• Server-side log inspection (keys are never in HTTP request paths or headers)
• Passive network interception (HTTPS + key-in-fragment prevents plaintext exposure)
• Server operator curiosity (design prevents even infrastructure staff from accessing file contents)

Threat model — not designed to protect against

• Endpoint compromise (malware on uploader's or downloader's device)
• Browser extension attacks that intercept Web Crypto API calls
• Sharing a link & passphrase with an unauthorized party
• Side-channel attacks against the browser's Web Crypto implementation

2. Cryptographic primitives

All operations use the W3C Web Crypto API (window.crypto.subtle) — the same API used by password managers, banking apps, and enterprise security products in modern browsers. No third-party cryptographic libraries are used for symmetric encryption.

3. Key management: link-key mode vs. password mode

FileShot supports two zero-knowledge encryption modes, which differ in how the decryption key is managed.

3.1 Link-key mode (default)

In link-key mode, a random 256-bit AES-GCM key is generated entirely inside the browser using crypto.subtle.generateKey. The key is never set by the user and never derived from a password.

1. Browser calls crypto.subtle.generateKey({ name: "AES-GCM", length: 256 }, true, ["encrypt","decrypt"])
2. Key is exported as raw bytes and encoded as base64url
3. File is encrypted with this key (see —4§4 for streaming protocol)
4. Encrypted file is uploaded to the server; key is never sent
5. Share link is constructed as https://fileshot.io/d/<fileId>#k=<base64url-key>
6. The #fragment is processed entirely by the recipient's browser — it is never included in HTTP requests to the server

3.2 Password mode

In password mode, the user sets a passphrase. The encryption key is derived from that passphrase — it is never stored anywhere, not even in the URL fragment.

1. User enters a passphrase in the browser
2. A 256-bit random salt is generated: crypto.getRandomValues(new Uint8Array(32))
3. Argon2id (memory: 64 MB, iterations: 2, parallelism: 1) derives a 256-bit AES-GCM key from passphrase + salt
4. File is encrypted with the derived key; salt is stored with (but separate from) the ciphertext
5. The passphrase is never sent to the server; neither is the derived key
6. Recipients enter the passphrase; the browser re-derives the identical key from passphrase + stored salt

3.3 Password + server-side access gate (dual protection)

When password protection is enabled, FileShot also stores a bcrypt hash of the password server-side. This adds a server-side gate: the server refuses to serve the encrypted blob unless the downloader first proves knowledge of the password (without the server learning the password). This is in addition to — and not a replacement for — the client-side Argon2id encryption. Even if someone bypasses the server gate, they still need the password to decrypt the file.

4. Streaming chunked encryption protocol

FileShot uses a custom streaming container format (FSZK) to support large file encryption without loading the entire file into memory. Standard large-file transfers use a streaming pipeline.

Container format (magic: FSZK, version 1)

• 4-byte magic: FSZK (ASCII)
• 1-byte version: 0x01
• 4-byte uint32 header length (little-endian)
• Variable-length JSON header (metadata: original filename, MIME type, salt, chunk size, total chunks)
• Concatenated encrypted chunks

Per-chunk encryption

• Default chunk size: 512 KB
• Each chunk is encrypted independently with AES-256-GCM
• Each chunk receives a unique 96-bit IV generated via crypto.getRandomValues
• IV is prepended to the encrypted chunk bytes (IV | ciphertext | auth-tag)
• Auth tag is 128 bits — any bit-flip in any chunk is detected and decryption is aborted

5. Upload & download data flows

Upload flow (link-key mode)

1. User selects file(s) in browser
2. Browser generates 256-bit AES-GCM key via crypto.subtle.generateKey
3. File is chunked (512 KB chunks) and encrypted in a streaming pipeline — never fully loaded into memory
4. Encrypted container (FSZK) is uploaded to api.fileshot.io over HTTPS
5. Server stores the encrypted blob and returns a unique file identifier
6. Browser constructs share URL: https://fileshot.io/d/<id>#k=<base64url-key>
7. Key is displayed only in the browser — never logged, transmitted, or stored on the server

Download flow

1. Recipient opens the share URL; browser extracts key from #fragment (never sent to server)
2. Browser fetches the encrypted blob from api.fileshot.io
3. Browser decrypts chunk-by-chunk, verifying the GCM auth tag on each chunk
4. Decrypted plaintext is streamed to disk — server at no point handles plaintext

6. Server-side architecture & what the server sees

The FileShot backend is a Node.js API (api.fileshot.io). The following table summarizes exactly what the server has access to for zero-knowledge uploads:

7. Data residency & infrastructure

FileShot's primary storage and compute infrastructure is located in the United States. Files and metadata are stored on servers operated and controlled exclusively by FileShot.io — no third-party cloud storage providers (such as AWS S3 or Google Cloud Storage) handle your file data.

Infrastructure components

• File storage: FileShot-operated servers, United States
• CDN & DDoS protection: Cloudflare — global edge network; Cloudflare receives only encrypted ciphertext in transit
• TLS termination: at Cloudflare edge (TLS 1.2 minimum; TLS 1.3 preferred); traffic between Cloudflare and origin is also encrypted
• Payment processing: Stripe — no card data touches FileShot servers

Data retention

• Files are automatically deleted at the expiration time set by the uploader (minimum 1 hour, default 180 days)
• Free accounts: files deleted after expiry with no recovery
• Pro accounts: configurable expiry including never-expire
• On-demand deletion: uploaders with accounts can delete files immediately from their dashboard

8. Transport security

• HTTPS everywhere: all FileShot properties enforce HTTPS; HTTP requests are redirected
• HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains prevents protocol downgrade attacks
• TLS version: TLS 1.2 minimum; TLS 1.3 preferred
• HPKP: not used (deprecated across browsers)
• Certificate authority: Cloudflare-issued certificates, renewed automatically
• Mixed-content protection: the application makes no HTTP requests to load resources

9. Threat model & mitigations

10. Known limitations

• No content-based malware scanning: all uploads are zero-knowledge encrypted, meaning the server only receives ciphertext. Content-based AV scanning cannot inspect encrypted blobs. Abuse prevention relies on file-type enforcement, metadata analysis, and behavioral signals.
• Fragment security depends on recipient behavior: if a recipient pastes the full URL (including fragment) into a chat, email, or document, the key is exposed to whatever reads that message.
• Post-quantum considerations: AES-256-GCM is considered quantum-resistant for symmetric encryption (Grover's algorithm halves key strength to 128 effective bits, still secure). Argon2id is not post-quantum, but key derivation is symmetric — the primary exposure would be harvest-now-decrypt-later scenarios, which are mitigated by unique salts and short file expiry.
• Browser supply-chain trust: if the FileShot web application is compromised (e.g., via a malicious JavaScript injection), client-side encryption could be bypassed. This risk is common to all browser-based cryptographic applications and is not unique to FileShot.
• No formal audit has been conducted (as of this document's publication date). The crypto library is open-source for independent review.

11. Independent verification

FileShot's zero-knowledge encryption library is open source and independently verifiable:

• Open-source library: github.com/FileShot/FileShotZKE
• Interactive verification tool: fileshot.io/verify-encryption — encrypt and decrypt files in your browser to confirm the implementation
• Security contact: Responsible Disclosure — report vulnerabilities to our security team