System Architecture

Overview

FaceVault is a secure file encryption and decryption web application that uses face recognition as a second-factor authentication mechanism. The system implements end-to-end encryption with client-side key management and biometric-based key unlocking.

System Components

1. Frontend Application

Technologies: React with TypeScript, Tailwind CSS, Wouter, TanStack Query.
Responsibilities: UI, Face enrollment/auth, Client-side encryption/decryption, Key management.

2. Face Detection and Recognition

Technologies: face-api.js, MediaStream API.
Responsibilities: Face enrollment, Liveness detection, Face authentication, Face descriptor generation.

3. Cryptographic Operations

Technologies: Web Crypto API (RSA-OAEP, AES-GCM, PBKDF2).
Responsibilities: Key generation, Key wrapping/unwrapping, File encryption/decryption.

4. Local Storage

Technologies: IndexedDB.
Responsibilities: Storing face templates and wrapped private keys locally.

5. Backend API Server

Technologies: Node.js, Express.js, Passport.js.
Responsibilities: User management, Public key storage, File metadata storage, Rate limiting.

6. Database

Technologies: PostgreSQL with Drizzle ORM.
Responsibilities: Storing user accounts, public keys, and encrypted file metadata.

7. File Storage

Responsibilities: Storage of encrypted file blobs.

Data Flow

User Registration

User provides credentials.
Client generates RSA key pair.
User enrolls face; Private key is wrapped with face-derived Key Encryption Key (KEK).
Public key and wrapped private key stored on server.
Face templates stored locally in IndexedDB.

File Encryption

Client generates random AES key.
File is encrypted with AES key.
AES key is encrypted with user's public key.
Encrypted file and metadata sent to server.

File Decryption

Server returns encrypted file and metadata.
User performs face authentication to derive KEK.
KEK unwraps private key.
Private key decrypts AES key.
AES key decrypts file content.