Architecture¶
VaultStream's architecture is built around three core principles: zero-knowledge encryption, per-session access control, and hardware-accelerated media processing.
System Overview¶
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Encoder │────▶│ Origin │────▶│ CDN Edge │
│ Farm │ │ Storage │ │ (Multi-PoP) │
└──────────────┘ └──────────────┘ └──────────────┘
│ │ │
▼ ▼ ▼
Intel QSV ZFS RAIDZ2 Per-user subdomain
NVIDIA NVENC AES-256 at rest TLS 1.3 + PFS
VAAPI Immutable snapshots Geo-routing
Component Layers¶
1. Ingestion Layer¶
Content enters the platform through one of several supported paths:
- REST API (
POST /v1/content/upload) — Direct HTTP upload, multipart form data - Watch Folders — Filesystem monitoring for automated batch ingestion
- Cloud Storage Monitors — S3/GCS bucket polling with IAM role integration
- Feed Import — RSS/Atom feed polling for syndicated content
- FTP Drop Zones — Legacy protocol support for enterprise migration
All ingestion paths support custom metadata extraction via pluggable Metadata Providers.
2. Transcoding Layer¶
Raw source files are transcoded into an adaptive bitrate HLS ladder. The transcoding farm supports:
| Codec | Hardware Acceleration | Typical Use |
|---|---|---|
| H.264 (AVC) | Intel QSV, VAAPI, NVIDIA NVENC | Universal compatibility |
| H.265 (HEVC) | Intel QSV, NVIDIA NVENC | 4K UHD, bandwidth-constrained |
| AV1 | Software (SVT-AV1) | Future-compatible archive |
Transcoding profiles are fully customizable. See Transcoding Profiles.
The default HLS ladder produces:
| Resolution | Bitrate (kbps) | Codec | Audio |
|---|---|---|---|
| 1920×1080 | 5000 | H.264 | AAC 192k |
| 1280×720 | 2800 | H.264 | AAC 128k |
| 854×480 | 1400 | H.264 | AAC 96k |
| 640×360 | 800 | H.264 | AAC 64k |
3. Encryption Layer¶
Encryption is applied during segmentation, not as a post-processing step:
- Key Generation — A unique 128-bit AES key is generated per content item
- Key Encryption — The content key is wrapped with a per-session key derived from the viewer's authenticated session
- Segment Encryption — Each
.tssegment is encrypted with AES-128-CBC - Key Delivery — The wrapped key is delivered via a short-lived, cryptographically signed URL
CYFR never stores unwrapped content keys. The decryption chain requires the viewer's valid session token — without it, segments are ciphertext.
4. Delivery Layer¶
Content is delivered through a geographically distributed CDN with per-user subdomain assignment:
- Each customer account receives a dedicated CDN subdomain (
{account_hash}.cdn.cyfr.technology) - HLS manifests and segments are served with short-lived signed URLs
- All transport uses TLS 1.3 with perfect forward secrecy
- CDN nodes cache encrypted segments only — no plaintext content exists at the edge
5. Access Control¶
Every playback request is authorized at three points:
- Session Validation — JWT or API token must be valid and unexpired
- Content Authorization — Viewer must have
content:readpermission for the requested content - Key Authorization — Segment decryption key is delivered only after both prior checks pass
Access decisions are logged to an immutable append-only audit ledger. See Audit Logging.
Data Isolation¶
VaultStream enforces strict data isolation:
- Each customer account has a dedicated encryption key namespace
- Content from one account cannot be accessed by another
- CDN subdomains are non-enumerable
- MSP tenants are fully isolated — no shared storage, no shared keys, no shared CDN namespace
Failure Domains¶
| Component | Redundancy | RPO | RTO |
|---|---|---|---|
| Origin Storage | ZFS RAIDZ2 (any 2 disks) | 0 | < 60s |
| Transcode Farm | N+1 worker pool | Job restart | < 5 min |
| CDN Edge | Multi-PoP (3+ regions) | 0 | < 30s |
| API Gateway | Active-active (2+ nodes) | 0 | < 10s |
| Database | Streaming replication | < 1s | < 30s |