CYFR Vault Architecture¶
Encryption Flow¶
User Device CYFR Infrastructure
┌──────────┐ ┌──────────────┐
│ File │ │ │
│ ↓ │ │ Ciphertext │
│ AES-256- │─── encrypted ────▶│ Storage │
│ GCM │ blob + IV │ (ZFS) │
│ ↓ │ │ │
│ Key stays│ │ No keys │
│ on device│ │ on server │
└──────────┘ └──────────────┘
Storage Architecture¶
CYFR Vault stores data on ZFS RAIDZ2 (dual-parity) pools with:
- Compression — LZ4 inline compression on all datasets
- Snapshots — Rolling 14-day automated snapshots for point-in-time recovery
- Scrubs — Monthly integrity verification of all stored data
- Encryption at rest — Native ZFS encryption (
aes-256-gcm) in addition to client-side encryption
Data Isolation¶
Each customer account has a dedicated storage namespace. No shared tenancy at the storage layer. Customer A's ciphertext is physically separated from Customer B's ciphertext.
Access Control¶
┌──────────┐ ┌──────────────┐ ┌──────────────┐
│ Identity │────▶│ Authorization│────▶│ Storage │
│ Provider │ │ Service │ │ Access │
│ (SAML/ │ │ (Policy │ │ (Get/Put │
│ OIDC) │ │ Engine) │ │ blob) │
└──────────┘ └──────────────┘ └──────────────┘
Replication & Backup¶
| Feature | Method | RPO | RTO |
|---|---|---|---|
| Intra-region | Synchronous write to 2 nodes | 0 | < 5s |
| Cross-region | Async replication, 15-min lag | 15 min | < 60 min |
| Backup | Daily ZFS snapshots, 90-day retention | 24 hr | < 4 hr |
| Disaster Recovery | Cross-region restore | 24 hr | < 8 hr |
Demo¶
See encryption in action: cyfr.technology/demo/vault