Technical architecture
How Sharebox encrypts a transfer.
The transfer pipeline is designed so plaintext and raw content keys remain at the endpoints. Every stored or transported file object is already encrypted and authenticated.
1. Generate
The sender browser generates a fresh random 256-bit file key and per-file encryption parameters.
2. Encrypt
The file is split into bounded chunks. Each chunk is encrypted and authenticated with AES-GCM before upload.
3. Protect metadata
Filename and MIME type are encrypted using the file key. Storage receives encrypted metadata.
4. Wrap the key
A transfer secret derives a separate wrapping key using PBKDF2-SHA-256. That key encrypts the raw file key.
5. Store ciphertext
R2 receives encrypted chunks. Supabase records opaque object identifiers, encrypted metadata, and the wrapped key.
6. Deliver separately
Email carries the base transfer page and unlock code. The sender shares the private URL fragment through a separate trusted channel.
7. Decrypt locally
After delivery checks, the recipient downloads ciphertext and unwraps and decrypts it inside the browser.
Fresh keys
Each file receives its own random key, limiting the effect of a single key compromise.
Authenticated encryption
AES-GCM rejects modified ciphertext, metadata, keys, or authentication tags.
Private storage
R2 remains private and serves ciphertext only through scoped upload capabilities and grant-checked downloads.
