Velic
Core concepts

Client-side encryption

How masters are encrypted in your browser before any piece is stored.

Every master is encrypted in your browser, before any piece is uploaded. Storage providers, and the network itself, only ever see ciphertext.

How it works

  • A fresh 256-bit data-encryption key (DEK) is generated for the master.
  • The file is encrypted with AES-256-GCM, in segments, as an authenticated envelope. Each segment carries its own authentication tag, and the segment's position is bound into that tag, so the ciphertext cannot be silently truncated or reordered.
  • The encrypted envelope (never the plaintext) is what gets chunked into pieces and uploaded.

Where the key lives

The per-master DEK is wrapped (encrypted) to an operator-held key-management service and stored only in that wrapped form. The plaintext key is never written to disk. On restore, the operator unwraps the DEK so the reassembled ciphertext can be decrypted back to your original file.

Proofs work on ciphertext

Proof of Data Possession operates on the stored pieces, which are ciphertext. That means preservation proofs require no access to your plaintext or your key: the network proves it holds the encrypted bytes, and the content address binds those bytes to a fixed identity. See Proof of preservation.

Masters

What a “master” is in Velic, and how one is represented.

Content addressing & PieceCID

Why a piece’s identity is derived from its bytes, and what that guarantees.

On this page

How it worksWhere the key lives