Mountain lake surrounded by evergreen forest

Technical architecture

How Sharebox encrypts a transfer.

The transfer pipeline is designed so plaintext and raw content keys remain at the endpoints. Every stored or transported file object is already encrypted and authenticated.

1. Generate

The sender browser generates a fresh random 256-bit file key and per-file encryption parameters.

2. Encrypt

The file is split into bounded chunks. Each chunk is encrypted and authenticated with AES-GCM before upload.

3. Protect metadata

Filename and MIME type are encrypted using the file key. Storage receives encrypted metadata.

4. Wrap the key

A transfer secret derives a separate wrapping key using PBKDF2-SHA-256. That key encrypts the raw file key.

5. Store ciphertext

R2 receives encrypted chunks. Supabase records opaque object identifiers, encrypted metadata, and the wrapped key.

6. Deliver separately

Email carries the base transfer page and unlock code. The sender shares the private URL fragment through a separate trusted channel.

7. Decrypt locally

After delivery checks, the recipient downloads ciphertext and unwraps and decrypts it inside the browser.

Fresh keys

Each file receives its own random key, limiting the effect of a single key compromise.

Authenticated encryption

AES-GCM rejects modified ciphertext, metadata, keys, or authentication tags.

Private storage

R2 remains private and serves ciphertext only through scoped upload capabilities and grant-checked downloads.