Encryption & Security
Zero-knowledge architecture. Your keys, your data, your control.
AES-256-GCM
All backup data is encrypted with AES-256-GCM before it touches any storage medium.
| Algorithm | AES-256-GCM |
| Key Size | 256 bits |
| Key Derivation | HKDF-SHA256 |
| Password-Based KDF | Argon2id |
| Nonce Size | 96 bits (per-blob) |
Key Hierarchy
A multi-layer key tree ensures each data blob gets its own unique encryption key.
Master Key (32 random bytes)
├── HKDF → Repository Key (derived)
├── HKDF → Per-Blob Key (derived independently)
└── HKDF → Manifest Key (derived)
└── Argon2id → Password-Wrapped Key (repo.key on disk)
Zero-Knowledge Design
Encryption keys are generated on your device and never leave it. Even if cloud storage is compromised, without your keys, the encrypted data is mathematically useless. Ginkgo has no way to decrypt your files.
Key Export & Import
Export your encryption keys for disaster recovery. Import them to a new machine to regain access to your backups.
POST /api/v1/keys/export
POST /api/v1/keys/importCredential Storage
Cloud credentials (S3 keys, WebDAV passwords) are encrypted with your repository key and stored locally. They are never returned in API responses.
Configuration Vault
Securely back up and restore your app configuration — settings, schedules, repository layouts. Survive a full OS reinstall without reconfiguring.
GET /api/v1/config-vault/targets
POST /api/v1/config-vault/backup