AES-256-GCM (Advanced Encryption Standard, 256-bit block, Galois/Counter Mode) is one of the strongest authenticated symmetric algorithms available: in addition to encryption, it guarantees through a 128-bit authentication tag that the file has not been tampered with or moved.
256 bits (32 bytes) for the master key and for every derived key.
Each file is encrypted with a dedicated key, produced via HKDF-SHA256 (RFC 5869) from:
Practical consequence: two different files, even belonging to the same user, are encrypted with two different keys. If for any malfunction the system attempted to read a file that does not belong to whoever is making the request and to the tool/chat they are currently viewing/using, decryption would fail because the correct key could not be derived: the consequence is that no content would ever be exposed.
Every file includes the user identifier and the path in its GCM tag, cryptographically binding the content to its context. Moving a file from one folder to another would automatically render the file unreadable.
The master key resides exclusively on the backend infrastructure, separated from the application servers that serve the website. It is requested server-to-server only when needed, with authentication via a shared key, and it never transits through the user's browser nor is it ever exposed to JavaScript.
The encrypted file format includes a key version identifier (key_id), which will allow us to rotate the master key without requiring an immediate re-encryption of the entire history.
Every deletion operation translates into a physical removal of the file from the filesystem (POSIX unlink). We do not keep trash bins, application snapshots, or shadow copies. Deletion is permanent and irreversible: neither the user nor Canonity can recover a file after it has been deleted. We recommend downloading locally any content you wish to preserve before deleting it.