Enterprise File Encryption
Orchestration Platform

Every regulated enterprise today uses a key vault — HashiCorp Vault, AWS KMS, or Azure Key Vault. These systems manage keys well, but they do not enforce how files are encrypted, how metadata is isolated, or how compliance is proven at audit time. This gap is where ProVault operates.

ProVault is a file-level encryption orchestration layer that sits above your existing key management infrastructure. It does not replace your vault — it integrates with it and adds what is missing: structured file chunking, envelope encryption, metadata isolation across separate vaults, zero-downtime key rotation, and native enforcement of Saudi NCA National Cryptographic Standards (NCS).

Encryption Path

• Step 1 — File Ingestion: Application submits any file type via REST or SDK. A transit proxy optionally intercepts the file transparently — no code change required in the application layer.
• Step 2 — Chunking: The file is split into configurable fixed-size blocks (4 MB to 64 MB). Each chunk receives a UUID and positional index, enabling parallel processing and partial retrieval.
• Step 3 — Integrity Hashing: A SHA-256 (or SHA-3) hash is computed per chunk before encryption. This pre-encryption hash is stored in the Metadata Vault and verified on every decryption to detect tampering.
• Step 4 — Envelope Encryption: A unique Data Encryption Key (DEK) is generated per file. Each chunk is encrypted using AES-256-GCM (AEAD) with a unique IV. The DEK is then wrapped by the Key Encryption Key (KEK) held in the external vault — only the encrypted DEK is ever stored.
• Step 5 — Key Wrapping: The wrapped DEK is sent to the Key Vault (HashiCorp / AWS KMS / Azure Key Vault). The plaintext DEK is destroyed immediately after use. KEK wrapping uses RSA-4096 or ECC BrainpoolP384r1 per NCS Advanced level requirements.
• Step 6 — Metadata Isolation: A separate Metadata Vault receives the chunk map, vault routing addresses, key version used, algorithm identifiers, and integrity hashes — all encrypted independently. No single vault can reconstruct the file.
• Step 7 — Distributed Storage: Encrypted chunks are written to the configured storage backends: S3-compatible, Azure Blob, GCP, relational DB BLOB, MongoDB GridFS, or any custom adapter. Multi-vault distribution is optional.
• Step 8 — Audit Log: Every operation — encrypt, decrypt, rotate, policy violation — is immutably logged with timestamps, identity, and cryptographic proof. Audit logs are exported for NCS compliance reporting.

Decryption Path (Reverse)

• Authorized identity is verified (JWT / mTLS / RBAC). Metadata Vault is queried for the chunk map and vault locations. Key Vault unwraps the DEK using the correct KEK version. Chunks are fetched in parallel, decrypted, integrity-verified against pre-encryption hashes, and reassembled in order.

Several patents exist in the domain of file encryption, key management, and cloud storage security. ProVault's design deliberately combines mechanisms in a way that does not fall within the claims of any single existing patent, while the combination itself forms novel, patentable subject matter.

The Kingdom of Saudi Arabia's National Cybersecurity Authority (NCA) published the National Cryptographic Standards (NCS-1:2020) to define mandatory cryptographic requirements for all entities operating in regulated sectors — including banking, government, healthcare, and critical infrastructure.

How NCS shapes ProVault's design

• Algorithm Enforcement: NCS mandates AES-256 for symmetric encryption, RSA-4096 or ECC BrainpoolP384r1 / P-384 for asymmetric operations, and SHA-256 or SHA-3 for hashing. ProVault's Core Engine hard-enforces these — any deviation is rejected at the compliance layer and logged as a policy violation.
• Key Rotation Timelines: NCS specifies maximum key lifetimes per data classification category. ProVault's rotation orchestration is parameterized to automatically enforce these timelines, triggering scheduled or emergency rotation events without operator intervention.
• Data in Transit: NCS requires TLS for all data movement. ProVault's Transit Proxy enforces TLS on every file transfer and verifies certificates before encryption begins.
• Audit and Evidence: NCS requires cryptographic audit trails sufficient for regulatory inspection. ProVault's audit log captures the full lifecycle of every file — creation, encryption, access, rotation, and deletion — with timestamps and identities, exportable in audit-ready format.
• Separation of Duties: NCS requires operational separation between data custodians and key custodians. ProVault's three-vault architecture architecturally enforces this — no single operator or role has access to all three vaults simultaneously.

The following questions are designed to stress-test the concept, refine the positioning, and prepare for investor or enterprise buyer conversations. Each question should be answered before proceeding to the detailed technical design phase.

Phase 1 — Core Engine (Months 1–4)

• Core encryption engine with AES-256-GCM and envelope model
• Single vault integration (HashiCorp Vault as primary target)
• Metadata vault isolation with independent encryption
• DEK-wrapper-only key rotation
• Spring Boot JAR starter deployment mode
• NCS-1:2020 Advanced level compliance enforcement

Phase 2 — Enterprise Wrapper (Months 5–8)

• Standalone microservice with REST and gRPC endpoints
• Compliance dashboard with NCS audit export
• Multi-vault chunk distribution (2–3 vault configurations)
• AWS KMS and Azure Key Vault integration

Phase 3 — Ecosystem (Months 9–14)

• Plugin ecosystem: S3 interceptor, JDBC BLOB layer, Kafka interceptor
• Advanced policy engine with custom NCS profiles
• Multi-language SDK (Python, Node.js)
• NCA certification preparation package