What zero-knowledge means here
In Enclave, zero-knowledge means: Quelden cannot read your files, and cannot be compelled to hand over their plaintext.
This is not a policy statement. It is an architectural property:
- Files are encrypted on your device before upload
- The decryption keys are in your KMS or our HSM — accessible only via authenticated KMS API calls from authorised clients
- Quelden’s servers store only ciphertext and wrapped keys
- Even Quelden employees with database access cannot decrypt files
What we do see
We want to be precise about what metadata Enclave does process:
| Data | Seen by Quelden? | Notes |
|---|
| File ciphertext | ✓ (stored) | Meaningless without keys |
| File name | ✓ | Stored in database |
| File size | ✓ | Stored in database |
| Upload timestamp | ✓ | Audit log |
| Uploader identity | ✓ | Audit log |
| Room name | ✓ | Stored in database |
| Wrapped DEKs | ✓ (stored) | Meaningless without master key |
| Plaintext file content | ✗ | Never transmitted or stored |
| Master keys | ✗ | Live in your KMS / our HSM |
The HSM boundary
When using Quelden-managed keys, the master key lives in a FIPS 140-2 Level 3 HSM. The HSM enforces:
- Only authenticated Enclave application instances can request key operations
- Key operations are logged
- The key material never leaves the HSM — only wrapped outputs are returned
Even Quelden engineers cannot extract the master key from the HSM. The HSM’s tamper-resistant hardware enforces this at the physical level.
Legal compulsion
If Quelden receives a valid legal order to produce customer data:
- We can produce: file ciphertext, file metadata, audit logs
- We cannot produce: plaintext file content (we do not have it)
- For BYOK/HYOK customers: we also cannot produce wrapped keys (those are in your KMS)
- For Quelden-managed keys: we can produce wrapped KEKs, but not the HSM master key
We publish a transparency report annually covering the number and types of legal demands received.
Threat model
| Threat | Enclave’s defence |
|---|
| Quelden employee curiosity | No access to plaintext or master keys |
| Quelden server breach | Attacker gets ciphertext only |
| Legal compulsion of Quelden | Plaintext unavailable; master key in HSM |
| Rogue application server | Cannot decrypt without KMS authentication |
| Network interception | TLS 1.3; payload is ciphertext regardless |
| Compromised client | Out of scope — client must be trusted |
The client device is trusted. If your device is compromised (malware, physical access), an attacker can read files as they are decrypted. Enclave cannot protect against a fully compromised endpoint — no encryption system can.
