Zero-knowledge cloud sync sounds simple and then isn't. Here is the shortest viable architecture.
Client-side key derivation
User password → Argon2id (m=64MB, t=3, p=1) → 256-bit master key. Never transmit the password or the master key. The server only ever sees encrypted blobs. Zero-knowledge explained covers the threat model.
Per-record encryption
Each note, task, or journal entry is encrypted individually with AES-256-GCM using a random per-record IV. The symmetric key is wrapped with the master key. This allows partial sync (one record) without exposing others.
CRDT for conflict resolution
If two devices modify the same record offline, a CRDT — typically a last-write-wins register with a hybrid logical clock timestamp — resolves deterministically on merge. No central coordinator required.
The metadata leak
Even with zero-knowledge content encryption, the server sees record sizes and timing. Padding blob sizes to fixed buckets (e.g., 1KB, 4KB, 16KB) mitigates. Batched sync windows mitigate timing. Neither is perfect.
Key rotation
Master keys should rotate annually. New master key encrypts a new wrapping key for each record's existing symmetric key; re-encryption is lazy. Lose this scheme and a master key leak is permanent.
About Sovereign — A privacy-first AI personal assistant that runs entirely on your iPhone. On-device LLM, zero-knowledge encryption, and a coach that learns from your own words. See how it works or visit the homepage.