Hybrid Mode β ZKRAG Protocol
Zero-Knowledge RAG: AI processing on our GPUs, but your data is never stored.
How It Works
πPhase 1
Key Exchange
ECDH P-256 handshake derives a shared AES-256 key
πPhase 2
Encrypt & Send
Your data is AES-256-GCM encrypted before leaving your network
β‘Phase 3
Process & Wipe
RAG runs in ephemeral memory, then all plaintext is zeroed
πPhase 4
Audit Proof
HMAC proof recorded β no content stored, ever
Cryptographic Primitives
ZKRAG uses industry-standard, battle-tested cryptographic primitives. The same building blocks used in TLS, Signal, and hardware security modules.
AES-256-GCMECDH P-256HKDF-SHA256HMAC-SHA256
π‘οΈ Security Guarantees
- βZero Storage: Plaintext data exists only in volatile RAM during processing, then is overwritten with zeros using low-level memory operations
- βEphemeral Sessions: Each session generates unique encryption keys that are destroyed after use (max 5-minute lifespan)
- βCryptographic Audit: Every query produces a verifiable HMAC proof that logs metadata only β never any content
- βForward Secrecy: Ephemeral ECDH keys mean compromising one session cannot decrypt past or future sessions