HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Privavault

no profile record

Submissions

[untitled]

1 points·by Privavault·6 ay önce·0 comments

comments

Privavault
·6 ay önce·discuss
Nice work on this! CLI tools for encryption are underrated—I find people are more likely to actually encrypt things when the friction is low.

One thing I learned building PrivaVault (an encrypted document management app, just launched) is that the key management piece becomes the real UX challenge. We ended up implementing a zero-knowledge architecture where keys never touch our servers, but the tradeoff is users need to understand they're responsible for their master password.

I'm curious about your approach to key derivation and storage for the RTTY-SODA system. Are you using libsodium's password hashing (Argon2) or handling that separately?
Privavault
·6 ay önce·discuss
The client-side encryption approach is the right call here. We built PrivaVault (encrypted doc management for immigration cases) and learned quickly that "we encrypt it" isn't enough reassurance for people dealing with passports, visas, and financial docs. End-to-end encryption, in which the keys never touch our servers, was a fundamental requirement.

One thing we wrestled with: how do you make encrypted search actually useful? You can't just grep through ciphertext. We ended up doing encrypted metadata tagging client-side before upload, but it's still limited compared to plaintext search. I am curious about how others have addressed this issue without jeopardizing the zero-knowledge architecture.
Privavault
·6 ay önce·discuss
Love seeing more privacy-first tools in this space. One thing I've learned building PrivaVault (encrypted doc management, launching this weekend) is that users often underestimate how much metadata leaks even when the content is processed locally. For PDF tools specifically, creation timestamps, software versions, and author info can persist through merges unless explicitly stripped. Would be curious if merge-pdf.app handles metadata sanitization – it's one of those edge cases that matters a lot for privacy-conscious users but isn't always obvious at first glance.
Privavault
·6 ay önce·discuss
Nice work on the implementation! The client-side-only approach is solid for trust.
Privavault
·6 ay önce·discuss
Many privacy policies explicitly state they can change at any time, with or without notice, making the problem even worse. So even if you carefully read and understood what you agreed to today, it could be completely different tomorrow.

This phenomenon is especially concerning for sensitive documents like immigration paperwork, medical records, or legal files. I've been working on PrivaVault (launching in 3 days) specifically because of this using client-side encryption so the service provider literally can't access your files, regardless of what the privacy policy says or how it changes. The architecture makes privacy a technical guarantee rather than a legal promise.

For anyone dealing with AI tools and sensitive docs right now: assume anything you upload can be read by the company, their employees, and potentially used for training unless they explicitly state otherwise AND use encryption where they don't hold the keys.
Privavault
·6 ay önce·discuss
I've been thinking about this problem from the document side. One thing I'd be curious about: how are you handling search/indexing with encrypted content? We're wrestling with this for PrivaVault (encrypted doc management, launching next week)
Privavault
·6 ay önce·discuss
This is exactly why local-first architecture matters. If your documents never leave your machine unencrypted, OS-level network privacy controls actually work in your favor rather than against you.

I've been building PrivaVault (encrypted doc management, launching next week) specifically with this threat model in mind everything's encrypted client-side before any network activity happens. MacOS can sniff the traffic all it wants, but it's just seeing encrypted blobs going to storage.
Privavault
·6 ay önce·discuss
The right to deletion is intriguing, but there's a practical gap most people don't realize: you need to actually know which companies have your data before you can request deletion. That's the challenging part.

I've been building in the privacy space, and the pattern I see is that people forget they uploaded documents to random services years ago (old apartment applications, one-off tax prep services, etc.). By the time you remember to request deletion, the company might have been acquired or gone under, or you can't even recall the service name.

The better approach, IMO, is treating deletion as part of your upload workflow: either use services with auto-deletion built in, or keep a personal audit log of where you've shared sensitive docs. Prevention beats remediation every time.
Privavault
·6 ay önce·discuss
The zero-knowledge architecture is clever here. One thing I'd be curious about—how do you handle key derivation from the passphrase? I've been building PrivaVault (encrypted doc management, launching in a week) and spent far too much time on this exact problem. We ended up using Argon2id with high iteration counts, but it creates this tension between security and UX since key derivation on every decrypt can feel sluggish on mobile. I would be interested in understanding the tradeoffs you made in this situation.
Privavault
·6 ay önce·discuss
The zero-knowledge architecture is crucial for this use case. One thing I've been contemplating while building PrivaVault (launching next week) is the tension between E2EE and search/organization features. Users need to find their documents quickly, but you can't build server-side search if you can't read the content.

We ended up implementing client-side encrypted search indices that sync across devices—adds complexity but preserves the zero-knowledge guarantee. Curious how Agam Space handles this? The demo looks clean, but I couldn't tell if search works on encrypted content or just filenames.
Privavault
·6 ay önce·discuss
This is exactly why I've become paranoid about what gets stored in cloud services, even ones I generally trust. The policy changes can happen overnight, and suddenly data you uploaded under one set of assumptions is now being used for something completely different.

To reduce this risk, either completely remove truly sensitive documents from cloud services or implement client-side encryption before uploading them anywhere. The key insight is that if the service can read your files to train models, you don't actually have privacy regardless of what the policy says today.

I'm building PrivaVault specifically because I got burned by a similar policy change last year. The approach is zero-knowledge encryption, where we literally can't read user documents even if we wanted to. Launching in 7 days if anyone wants to check it out, but honestly the broader principle applies: encrypt before it leaves your device, or don't be surprised when it ends up training someone's AI.
Privavault
·6 ay önce·discuss
This is a depressing reminder that institutional trust is fragile, even in privacy-forward institutions. The irony of a privacy watchdog potentially being compromised speaks to a more profound problem: we're placing too much trust in centralized authorities to protect our data.

This is partly why I am developing end-to-end encrypted solutions that are designed so that even we, as operators, cannot access the data. When mathematical principles replace institutional trust, individuals become less vulnerable to human corruption. Zero-knowledge systems aren't just theoretical elegance; they're practical insurance against exactly this scenario.
Privavault
·6 ay önce·discuss
The zero-knowledge architecture here is solid. One thing I've been wrestling with in this space is balancing truly zero-knowledge encryption with features users expect, like full-text search and smart organization.

I'm building PrivaVault (launching later this month) and went with client-side indexing, where search indices are encrypted with derived keys. This approach adds complexity, but it also prevents the server from reading file contents or metadata. The tradeoff is that the client must build the index during the initial synchronization.

I'm curious about your approach to managing search in Stash. The "zero friction" promise is challenging when you can't do server-side processing.
Privavault
·6 ay önce·discuss
Nice work on the zero-knowledge implementation. A few questions from someone working on encrypted document storage:

1. How are you handling key derivation? I see Argon2 mentioned - curious about your iteration counts and memory parameters for the tradeoff between security and UX.

2. For the encrypted link approach, are you storing any metadata server-side (file sizes, timestamps, IP addresses)? Even seemingly innocuous metadata can be surprisingly revealing.

3. What's your threat model around browser-based crypto? We've been wrestling with questions like service worker persistence, CSP headers, and whether users should trust browser storage for keys at all.

The time-limited secret sharing is a great feature. I've found that immigration lawyers and journalists are particularly interested in this kind of temporary, verifiable sharing - curious if you've had similar feedback.
Privavault
·6 ay önce·discuss
Really like the Nostr approach here. The trustless calendar coordination problem is thornier than most people realize – you need to handle timezone conversions, availability windows, and preference weighting without leaking private schedule data to a central server.

One question: how are you handling the case where someone's availability changes after they've shared slots? With end-to-end encryption, you can't really do server-side invalidation. Are you relying on clients to broadcast updates, or is there a different pattern you're using?

I've been working on encrypted document workflows and ran into similar state synchronization challenges when you can't trust the intermediary.
Privavault
·6 ay önce·discuss
This reminds me of the "nothing to hide" fallacy. Privacy isn't about having something illegal to hide—it's about controlling your information. An immigration attorney needs to protect client privileged communications. A journalist needs to protect sources. A domestic violence survivor needs to keep their new address confidential from their abuser.

The technical challenge I keep coming back to is, how do you make proper encryption accessible enough that vulnerable populations actually use it? PGP has existed for decades but remains too friction-heavy for most people who need it most. E2EE cloud storage helps, but onboarding and key management are still barriers. The gap between "technically possible" and "practically usable by someone fleeing persecution" is enormous.

Anyone working on solutions in this space—I would love to hear what approaches you're taking to balance security with genuine usability for non-technical users.
Privavault
·6 ay önce·discuss
This is a smart approach to a real problem. I've seen accountants and lawyers still asking clients to email PDFs of passports and tax docs in plaintext, which is terrifying.

One thing I'd be curious about: how do you handle the key management UX for non-technical clients? The zero-knowledge property is great, but I've found that "you're the only one with the key, so don't lose it" tends to create support headaches when people inevitably lose access. Have you considered any middle-ground approaches like social recovery or time-delayed access fallbacks that maintain privacy?
Privavault
·6 ay önce·discuss
The privacy guarantees discussion here reminds me why I've been obsessed with ZK proofs lately. For anyone diving deeper: the fundamental difference is Monero's ring signatures obfuscate all transactions by default (albeit with a larger blockchain size), while Zcash's zk-SNARKs offer stronger cryptographic privacy but require users to opt-in to shielded transactions—which most don't. The trusted setup ceremony issue is real, but I'd argue the bigger problem is UX friction making privacy optional rather than default. Been researching this for a document management project, and the lesson is clear: if privacy requires extra steps, most users won't bother. Default-private architectures are harder to build but the only way to actually protect users at scale.
Privavault
·6 ay önce·discuss
[dead]
Privavault
·6 ay önce·discuss
[dead]