Understanding Encryption

Security & Compliance

How FileSeal's zero-trust encryption protects your documents

15 min read
Intermediate
Updated 3 September 2025
Back to Guides
Understanding Encryption

Understanding FileSeal's Encryption

Learn how FileSeal's zero-trust architecture protects sensitive documents with enterprise-grade encryption throughout the entire workflow.

The Personal Safe Analogy

Think of FileSeal like a secure postal service for personal safes:

Imagine you need to send sensitive documents to your office. Instead of posting them in a regular envelope (like email), you:

  1. Lock them in your personal safe (encryption on your device)
  2. Post the sealed safe through a secure courier (FileSeal)
  3. Only you have the key to unlock it at the other end

The courier (FileSeal) is designed not to open your safe or see your documents, and even if someone intercepts the safe, they can't open it without your unique key.

What Makes FileSeal Different

Unlike traditional file sharing services, FileSeal implements zero-trust encryption:

  • Documents are encrypted on the client's device (your safe is locked before it leaves your premises)
  • FileSeal servers are designed not to see unencrypted data (we're just the secure courier, not the key holder)
  • You maintain complete control over access (only you decide who gets the key)

Encryption Architecture

Client-Side Encryption Process

  1. File Selection: Client chooses documents to upload
  2. Local Encryption: Files encrypted using AES-256-GCM before transmission
  3. Secure Transmission: Only encrypted data travels over the internet
  4. Server Storage: Encrypted blobs stored securely
  5. Authorized Decryption: Only you can decrypt using secure keys

Technical Implementation

Why This Matters: This is like having the world's most sophisticated safe lock - even if criminals had every computer on Earth, it would take longer than the age of the universe to break.

Encryption Standard: AES-256-GCM (Advanced Encryption Standard)

  • Key Length: 256-bit keys (2^256 possible combinations) (Think of a lock with 78 digits - that's more combinations than atoms in the universe)
  • Mode: Galois/Counter Mode for authenticated encryption (Not only locks the safe, but proves no one tampered with it)
  • Security: Same standard used by governments and enterprises (If it's good enough for state secrets, it's good enough for your documents)

Key Derivation: PBKDF2 (Password-Based Key Derivation Function 2)

  • Iterations: 100,000+ rounds for key stretching (Like creating your key by putting metal through a forge 100,000 times - makes it incredibly hard)
  • Salt: Unique random salt per encryption (Every safe gets a unique, unpredictable lock mechanism)
  • Resistance: Protection against rainbow table attacks (Prevents criminals from using pre-made key lists)

Zero-Trust Architecture

What "Zero-Trust" Means

Traditional cloud storage requires trusting the provider with your data. FileSeal's zero-trust model means:

  • Server Blindness: Our servers cannot decrypt your documents
  • Client Control: Encryption keys never leave your control
  • Perfect Forward Secrecy: Each session uses unique encryption keys
  • Minimal Trust: No single point of failure or compromise

Data Flow Protection

Data flows securely through the following process: Client Device → Encrypt → Secure Transmission → Encrypted Storage Professional Device ← Decrypt ← Secure Download ← Authorized Access

At no point does unencrypted data exist outside client/professional devices.

Encryption in Practice

Upload Process Security

When clients upload documents:

  1. File Validation: Type and size checks on client device
  2. Malware Scanning: Real-time threat detection before encryption
  3. Encryption: AES-256-GCM applied locally
  4. Integrity Checking: Digital signatures verify data integrity
  5. Secure Upload: HTTPS with certificate pinning

Download Process Security

When you download documents:

  1. Authentication: Verified professional identity required
  2. Authorized Access: Time-limited, one-time download tokens
  3. Secure Retrieval: Encrypted data downloaded over HTTPS
  4. Local Decryption: Files decrypted on your device only
  5. Automatic Cleanup: Encrypted data deleted from servers

Advanced Security Features

File Signature Validation

Every uploaded file undergoes signature validation:

  • Magic Number Verification: Confirms actual file type
  • Header Analysis: Detects file spoofing attempts
  • Content Scanning: Identifies potential security risks

Malware Protection

Multi-layer malware detection:

  • Real-time Scanning: Files analysed before encryption
  • Signature Database: Updated threat definitions
  • Behavioral Analysis: Suspicious file pattern detection
  • Quarantine System: Infected files blocked automatically

Audit Trail Encryption

Security logs are also encrypted:

  • Action Logging: All access attempts recorded
  • Tamper Evidence: Cryptographic integrity protection
  • Retention Policy: Secure log storage and cleanup

Compliance & Standards

Regulatory Compliance

FileSeal's encryption meets requirements for:

  • GDPR: Data protection by design and by default
  • SOC 2 Type II: Security controls and processes
  • ISO 27001: Information security management
  • Legal Professional Standards: SRA, FCA, ICAEW guidelines

Industry Standards

Our implementation follows:

  • NIST Cryptographic Standards: Approved algorithms and key lengths
  • OWASP Security Guidelines: Web application security best practices
  • Common Criteria: International security evaluation standards

Encryption Key Management

Key Generation

  • Cryptographically Secure Random: Keys generated using OS entropy
  • Unique Per Session: New keys for each upload/download
  • No Key Reuse: Each document has unique encryption keys

Key Distribution

  • Secure Channel: Keys transmitted over authenticated TLS
  • Time-Limited: Keys expire automatically after use
  • No Persistence: Keys never stored long-term

Key Destruction

  • Automatic Cleanup: Keys destroyed after successful decryption
  • Secure Deletion: Memory cleared using cryptographic erasure
  • Audit Trail: Key lifecycle events logged securely

Frequently Asked Questions

Can FileSeal decrypt my documents?

No - and here's why that's brilliant:

Using our safe analogy: We're like a secure courier service that transports your locked safe, but we never have the key. Even if hackers broke into our systems, your documents would still be locked in safes that only you can open.

In technical terms: Our zero-trust architecture means FileSeal servers cannot decrypt your documents even if we wanted to. The encryption keys are generated and controlled by client devices and only shared with authorised professionals.

What if I lose access to my account?

Think of it like having spare keys to your house:

Document encryption keys are tied to your professional identity, not just your password. If you lose access, we have secure ways to verify who you are and restore access to your "safe keys":

  • Multi-factor authentication options (like having multiple forms of ID)
  • Professional identity verification (proving you are who you say you are)
  • Secure key recovery processes (getting new keys made by the locksmith)

How does this compare to email attachments?

Email is like sending documents in a see-through envelope:

Email attachments are typically:

  • ❌ Transmitted unencrypted (like postcards - anyone handling them can read them)
  • ❌ Stored unencrypted on email servers (sitting in filing cabinets anyone can open)
  • ❌ Accessible to email providers (Google, Microsoft can read your files)
  • ❌ Vulnerable to server breaches (one hack exposes everything)

FileSeal is like registered post with a personal safe:

FileSeal documents are:

  • ✅ Encrypted before transmission (safe is locked before leaving your premises)
  • ✅ Never stored unencrypted anywhere (safe stays locked throughout journey)
  • ✅ Inaccessible to FileSeal (we're the courier, not the key holder)
  • ✅ Protected by zero-trust architecture (even if we're compromised, your safe stays locked)

Best Practices for Professionals

Secure Handling

  1. Download Promptly: Minimize exposure time
  2. Secure Storage: Use encrypted local storage
  3. Access Control: Limit who can access downloaded files
  4. Secure Disposal: Delete files securely when no longer needed

Client Education

Help clients understand using simple analogies:

  • Why encryption matters: "Your documents are like valuable jewelry - you wouldn't post them in a regular envelope, would you?"
  • How FileSeal protects privacy: "Think of it as a personal safe that travels through registered post - even the postman can't open it"
  • Security advantages over email: "Email is like sending a postcard - anyone handling it can read it. FileSeal is like sealed, tamper-proof packaging"
  • Their rights under data protection laws: "You control what happens to your documents, when they're deleted, and who can access them"

Real-world example to share: "Instead of emailing your passport copy (which could be read by hackers, email providers, or anyone with access to email servers), FileSeal encrypts it before it leaves your device. Even if someone intercepts it, they just have a locked safe with no key."

Want to learn more? Explore our Security Features Guide or review GDPR Compliance requirements.

Guide Stats

15 min read
Intermediate Level
Visual Guide

Related Guides

Account Setup GuideFirst Request GuideSecurity & Encryption
Need More Help?

Can't find what you're looking for in this guide?

Contact Support →
Understanding Encryption | FileSeal User Guide | FileSeal