Basically, files are encrypted using AES and RSA.
It involves 3 keys:
- Master key - 512-bit, derived from user inputted password, removed from memory as soon as not used
- RSA key pairs - 2048-bit, randomly generated for each protected folder
- Content key - 256-bit, randomly generated for each file
When a folder is added to be monitored, password is provided by user, and:
- Master key is being derived from the password
- RSA key pairs are generated randomly
- Private key of the key pairs is being encrypted with Master key, with AES-SIV
- The encrypted private key and public key of the key pairs are stored on the device
When a new file is being encrypted:
- Content key is randomly generated
- File content is encrypted by content key, with AES-GCM
- Content key is encrypted with public key of the folder, with RSA
- The resulting encrypted file contains the encrypted private key, encrypted content key, and the encrypted file content