Industry-Standard Encryption
We use battle-tested cryptographic algorithms trusted by governments and security professionals
AES-256-GCM
Military-grade symmetric encryption for your files. Same standard used by governments worldwide.
RSA-4096
Asymmetric encryption for secure key sharing between devices and users.
Argon2id
Memory-hard key derivation function resistant to GPU cracking attacks.
ChaCha20-Poly1305
Fast authenticated encryption for mobile devices without AES hardware.
End-to-End Encryption Flow
From your device to our servers - see how zero-knowledge works in practice
Password Entry
Key generated on your device
PBKDF2 100k iterationsFile Encryption
AES-256-GCM encryption
Client-side onlyUpload
Encrypted blob transfer
TLS 1.3 transportDecrypt
Decryption on your device
Local decryptionPassword Entry
Key generated on your device
PBKDF2 100k iterationsFile Encryption
AES-256-GCM encryption
Client-side onlyUpload
Encrypted blob transfer
TLS 1.3 transportDecrypt
Decryption on your device
Local decryptionResult: True Zero-Knowledge
Your files are protected even if our servers are breached
The Encryption Process
What happens when you upload a file to Nygma
Master Password Entry
Your password never leaves your device
You enter your master password locally. It is never transmitted to our servers.
Key Derivation
Argon2id derives encryption key from password
Password is transformed into a cryptographic key using Argon2id with high memory cost.
File Encryption
AES-256-GCM encrypts file chunks
Each file is split into chunks and encrypted with unique keys derived from your master key.
Metadata Encryption
Filenames, sizes, dates all encrypted
Not just file contents - everything is encrypted including folder structure.
Secure Upload
TLS 1.3 tunnel with encrypted payload
Already-encrypted data is uploaded over TLS for double protection in transit.
Server Storage
Server stores encrypted blobs with no keys
We store gibberish. Without your password, the data is mathematically unreadable.
Multiple Layers of Encryption
Defense in depth - every aspect of your data is protected
Layer 1
Transport Layer
Technology:
Protects:
Data in transit from your device to our servers
Layer 2
Content Encryption
Technology:
Protects:
File contents - the actual bytes of your files
Layer 3
Metadata Encryption
Technology:
Protects:
Filenames, folder structure, dates, sizes
Layer 4
Thumbnail Encryption
Technology:
Protects:
Image previews and video posters
Key Management
Understanding the different encryption keys and who controls them
| Key Type | Description | Where Stored | Who Has Access |
|---|---|---|---|
| Master Key | Derived from your password, never stored anywhere | Nowhere (derived on-demand) | Only you (in memory during session) |
| Device Keys | Per-device keys for multi-device sync | Encrypted locally on each device | You (on authenticated devices) |
| File Keys | Unique key per file for additional security | Encrypted with your master key | You (encrypted with your keys) |
| Share Keys | Temporary keys for shared links | In the share URL fragment (client-side) | Anyone with the link |
Critical Point: We Never Store Your Keys
The master key is derived from your password every time you log in. It exists only in your device memory during your session. When you log out, it is gone. This is why we cannot reset your password - we never had it in the first place.
Additional Technical Details
Chunked Encryption
Files are split into 4MB chunks before encryption. Each chunk is encrypted independently.
Enables efficient uploads (resume partial failures)
Faster processing for large files
Parallel encryption/decryption
Authentication Tags
GCM mode provides authenticated encryption with built-in integrity verification.
Detects tampering attempts
Prevents bit-flip attacks
Guarantees data authenticity