Skip to content

Architecture

VaultStream's architecture is built around three core principles: zero-knowledge encryption, per-session access control, and hardware-accelerated media processing.

System Overview

┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│   Encoder    │────▶│  Origin      │────▶│  CDN Edge    │
│   Farm       │     │  Storage     │     │  (Multi-PoP) │
└──────────────┘     └──────────────┘     └──────────────┘
       │                     │                     │
       ▼                     ▼                     ▼
  Intel QSV              ZFS RAIDZ2           Per-user subdomain
  NVIDIA NVENC           AES-256 at rest      TLS 1.3 + PFS
  VAAPI                  Immutable snapshots   Geo-routing

Component Layers

1. Ingestion Layer

Content enters the platform through one of several supported paths:

  • REST API (POST /v1/content/upload) — Direct HTTP upload, multipart form data
  • Watch Folders — Filesystem monitoring for automated batch ingestion
  • Cloud Storage Monitors — S3/GCS bucket polling with IAM role integration
  • Feed Import — RSS/Atom feed polling for syndicated content
  • FTP Drop Zones — Legacy protocol support for enterprise migration

All ingestion paths support custom metadata extraction via pluggable Metadata Providers.

2. Transcoding Layer

Raw source files are transcoded into an adaptive bitrate HLS ladder. The transcoding farm supports:

Codec Hardware Acceleration Typical Use
H.264 (AVC) Intel QSV, VAAPI, NVIDIA NVENC Universal compatibility
H.265 (HEVC) Intel QSV, NVIDIA NVENC 4K UHD, bandwidth-constrained
AV1 Software (SVT-AV1) Future-compatible archive

Transcoding profiles are fully customizable. See Transcoding Profiles.

The default HLS ladder produces:

Resolution Bitrate (kbps) Codec Audio
1920×1080 5000 H.264 AAC 192k
1280×720 2800 H.264 AAC 128k
854×480 1400 H.264 AAC 96k
640×360 800 H.264 AAC 64k

3. Encryption Layer

Encryption is applied during segmentation, not as a post-processing step:

  1. Key Generation — A unique 128-bit AES key is generated per content item
  2. Key Encryption — The content key is wrapped with a per-session key derived from the viewer's authenticated session
  3. Segment Encryption — Each .ts segment is encrypted with AES-128-CBC
  4. Key Delivery — The wrapped key is delivered via a short-lived, cryptographically signed URL

CYFR never stores unwrapped content keys. The decryption chain requires the viewer's valid session token — without it, segments are ciphertext.

4. Delivery Layer

Content is delivered through a geographically distributed CDN with per-user subdomain assignment:

  • Each customer account receives a dedicated CDN subdomain ({account_hash}.cdn.cyfr.technology)
  • HLS manifests and segments are served with short-lived signed URLs
  • All transport uses TLS 1.3 with perfect forward secrecy
  • CDN nodes cache encrypted segments only — no plaintext content exists at the edge

5. Access Control

Every playback request is authorized at three points:

  1. Session Validation — JWT or API token must be valid and unexpired
  2. Content Authorization — Viewer must have content:read permission for the requested content
  3. Key Authorization — Segment decryption key is delivered only after both prior checks pass

Access decisions are logged to an immutable append-only audit ledger. See Audit Logging.

Data Isolation

VaultStream enforces strict data isolation:

  • Each customer account has a dedicated encryption key namespace
  • Content from one account cannot be accessed by another
  • CDN subdomains are non-enumerable
  • MSP tenants are fully isolated — no shared storage, no shared keys, no shared CDN namespace

Failure Domains

Component Redundancy RPO RTO
Origin Storage ZFS RAIDZ2 (any 2 disks) 0 < 60s
Transcode Farm N+1 worker pool Job restart < 5 min
CDN Edge Multi-PoP (3+ regions) 0 < 30s
API Gateway Active-active (2+ nodes) 0 < 10s
Database Streaming replication < 1s < 30s