Status
Accepted
Context
Friends’ health data will live on Bob’s ThinkCentre. Host admin can always open Postgres unless application-layer encryption uses keys the server does not have.
Decision
- Per-user vault: public key on server; private key wrapped by user password (Argon2id).
- Durable health payloads sealed to user public key.
- Ingest merge state encrypted under a key derived from the presented ingest secret (ephemeral; not stored long-term as plaintext).
- Dashboard decrypts only in the browser after unlock.
APP_SECRETis only for ingest key HMAC pepper — never health DEK.
Consequences
- Admin cannot read health from DB/backups/disk images of ciphertext.
- Lost vault password + recovery code ⇒ data unrecoverable.
- HAE merge is more complex (ingest-key-derived merge state).
- Residual: malicious root can still tap live request RAM.
Compiled from
wiki/projects/SAAS-Lifebot/adr/0002-admin-blind-e2ee-health-data.md · git is the source of truth