Skip to content

CYFR Vault Architecture

Encryption Flow

User Device                    CYFR Infrastructure
┌──────────┐                   ┌──────────────┐
│ File     │                   │              │
│   ↓      │                   │  Ciphertext  │
│ AES-256- │─── encrypted ────▶│  Storage     │
│ GCM      │    blob + IV      │  (ZFS)       │
│   ↓      │                   │              │
│ Key stays│                   │  No keys     │
│ on device│                   │  on server   │
└──────────┘                   └──────────────┘

Storage Architecture

CYFR Vault stores data on ZFS RAIDZ2 (dual-parity) pools with:

  • Compression — LZ4 inline compression on all datasets
  • Snapshots — Rolling 14-day automated snapshots for point-in-time recovery
  • Scrubs — Monthly integrity verification of all stored data
  • Encryption at rest — Native ZFS encryption (aes-256-gcm) in addition to client-side encryption

Data Isolation

Each customer account has a dedicated storage namespace. No shared tenancy at the storage layer. Customer A's ciphertext is physically separated from Customer B's ciphertext.

Access Control

┌──────────┐     ┌──────────────┐     ┌──────────────┐
│ Identity │────▶│ Authorization│────▶│ Storage      │
│ Provider │     │ Service      │     │ Access       │
│ (SAML/   │     │ (Policy      │     │ (Get/Put     │
│  OIDC)   │     │  Engine)     │     │  blob)       │
└──────────┘     └──────────────┘     └──────────────┘

Replication & Backup

Feature Method RPO RTO
Intra-region Synchronous write to 2 nodes 0 < 5s
Cross-region Async replication, 15-min lag 15 min < 60 min
Backup Daily ZFS snapshots, 90-day retention 24 hr < 4 hr
Disaster Recovery Cross-region restore 24 hr < 8 hr

Demo

See encryption in action: cyfr.technology/demo/vault