Project · Saas Lifebot · ADRs

ADR 0002 — Admin-blind E2EE for health data

type adrstatus activelifebot · e2ee · security · gdpr

Status

Accepted

Context

Friends’ health data will live on Bob’s ThinkCentre. Host admin can always open Postgres unless application-layer encryption uses keys the server does not have.

Decision

  • Per-user vault: public key on server; private key wrapped by user password (Argon2id).
  • Durable health payloads sealed to user public key.
  • Ingest merge state encrypted under a key derived from the presented ingest secret (ephemeral; not stored long-term as plaintext).
  • Dashboard decrypts only in the browser after unlock.
  • APP_SECRET is only for ingest key HMAC pepper — never health DEK.

Consequences

  • Admin cannot read health from DB/backups/disk images of ciphertext.
  • Lost vault password + recovery code ⇒ data unrecoverable.
  • HAE merge is more complex (ingest-key-derived merge state).
  • Residual: malicious root can still tap live request RAM.
Compiled from wiki/projects/SAAS-Lifebot/adr/0002-admin-blind-e2ee-health-data.md · git is the source of truth