Loading...
private.me Docs
Get Cache
PRIVATE.ME PLATFORM

Cache: Encrypted Local Message Cache

AES-256-GCM encrypted IndexedDB cache with PBKDF2 key derivation, LRU eviction, and TTL expiry. Every byte at rest is encrypted. Corrupted entries self-heal on read.

Email Client AVAILABLE NOW AES-256-GCM
Section 01

The Problem

Local caches store sensitive data in plaintext IndexedDB. Browser data is accessible to extensions, XSS attacks, and anyone with local access to the device.

IndexedDB is the standard client-side storage for web and desktop applications. But it stores data as plain JSON objects with no encryption layer. Any browser extension with storage permissions can read the entire database. A single XSS vulnerability exposes every cached message.

Existing solutions either skip local caching entirely (sacrificing offline access and performance) or store plaintext and hope the OS protects it. Neither approach is acceptable for sensitive communications.

The Old Way

App plaintext IndexedDB UNENCRYPTED XSS Attack Extensions Local Access
Section 02

The PRIVATE.ME Solution

Every cache entry is encrypted with AES-256-GCM before it touches IndexedDB. Keys are derived via PBKDF2 with 600,000 iterations from the user's primary email. No plaintext is ever stored at rest.

The cache operates as a transparent encryption layer. Application code calls createCache and getCached with the same API as a plain key-value store. Encryption and decryption happen automatically. Corrupted entries are detected via GCM authentication tags and auto-deleted on read.

LRU eviction keeps memory bounded. TTL expiry ensures stale entries are purged. The cache is fully resumable across app restarts with no re-initialization penalty.

The New Way

App plaintext AES-256-GCM PBKDF2 600K encrypt IndexedDB ciphertext only LRU + TTL Safe
Section 03

How It Works

A three-layer architecture: key derivation, transparent encrypt/decrypt, and self-healing storage with automatic eviction.

User Email PBKDF2 → AES Key Encryption Layer AES-256-GCM IndexedDB ciphertext LRU Eviction bounded memory TTL Expiry stale purge Self-Heal corrupt → delete Zero plaintext at rest — GCM auth tag verifies every read
Key Security Properties
Encryption at rest: Every entry encrypted with AES-256-GCM before storage.
Key derivation: PBKDF2 with 600,000 iterations from primary email.
Self-healing: Corrupted entries detected via GCM auth tag and auto-deleted.
Bounded storage: LRU eviction + TTL expiry prevent unbounded growth.
Section 04

Use Cases

Email Client
Offline Email Access

Cache messages locally so users can read and compose offline. All cached data encrypted at rest with AES-256-GCM.

AES-256-GCM
Messaging
Secure Message History

Retain conversation history on-device without exposing content to local access attacks or browser extensions.

PBKDF2
Web Apps
Encrypted Session Storage

Store session data, tokens, and preferences in encrypted IndexedDB with automatic TTL expiry and LRU eviction.

TTL + LRU
Security
Client-Side Data Protection

Protect sensitive client-side data from XSS, malicious extensions, and physical device access with transparent encryption.

Self-Healing
Section 05

Integration

Quick Start
import { createCache, getCached } from '@private.me/cache';

// Initialize encrypted cache from user's primary email
const cache = await createCache('user@example.com', {
  maxEntries: 5000,
  ttlMs: 86400000,        // 24 hours
  evictionPolicy: 'lru'
});

// Store — automatically encrypted with AES-256-GCM
await cache.set('msg:abc123', messageData);

// Retrieve — decrypted transparently, corrupt entries auto-deleted
const message = await getCached(cache, 'msg:abc123');
createCache(email: string, config?: CacheConfig): Promise<EncryptedCache>
Initialize an encrypted IndexedDB cache. Key derived via PBKDF2 (600K iterations) from the provided email. Config controls max entries, TTL, and eviction policy.
getCached(cache: EncryptedCache, key: string): Promise<T | null>
Retrieve and decrypt a cached entry. Returns null if not found or expired. Auto-deletes entries that fail GCM authentication.
Section 06

Security Properties

PropertyMechanismGuarantee
Encryption at restAES-256-GCM256-bit symmetric
Key derivationPBKDF2 (600K iterations)Brute-force resistant
Integrity checkGCM authentication tagTamper detection
Self-healingAuto-delete on GCM failureNo corrupt reads
Bounded storageLRU eviction + TTLMemory bounded
256
bit AES key
600K
PBKDF2 iterations
0
plaintext at rest
<1ms
per read/write
PRIVATE.ME · CACHE WHITE PAPER

© 2026 StandardClouds Inc. dba PRIVATE.ME. All rights reserved.

VERIFIABLE WITHOUT CODE EXPOSURE

Ship Proofs, Not Source

Cache generates cryptographic proofs of correct execution without exposing proprietary algorithms. Verify integrity using zero-knowledge proofs — no source code required.

XPROVE CRYPTOGRAPHIC PROOF
Download proofs:

Verify proofs online →

Use Cases

🏛️
REGULATORY
FDA / SEC Submissions
Prove algorithm correctness for message caching without exposing trade secrets or IP.
Zero IP Exposure
🏦
FINANCIAL
Audit Without Access
External auditors verify AES-256-GCM encrypted caching without accessing source code or production systems.
FINRA / SOX Compliant
🛡️
DEFENSE
Classified Verification
Security clearance holders verify message caching correctness without clearance for source code.
CMMC / NIST Ready
🏢
ENTERPRISE
Procurement Due Diligence
Prove security + correctness during RFP evaluation without NDA or code escrow.
No NDA Required

Deployment Options

🌐

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

  • Zero infrastructure setup
  • Automatic updates
  • 99.9% uptime SLA
  • Enterprise SLA available
View Pricing →
📦

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

  • npm install @private.me/cache
  • TypeScript/JavaScript SDK
  • Full source access
  • Enterprise support available
Get Started →
🏢

On-Premise Upon Request

Enterprise CLI for compliance, air-gap, or data residency requirements.

  • Complete data sovereignty
  • Air-gap capable deployment
  • Custom SLA + dedicated support
  • Professional services included
Request Quote →

Enterprise On-Premise Deployment

While Cache is primarily delivered as SaaS or SDK, we build dedicated on-premise infrastructure for customers with:

  • Regulatory mandates — HIPAA, SOX, FedRAMP, CMMC requiring self-hosted processing
  • Air-gapped environments — SCIF, classified networks, offline operations
  • Data residency requirements — EU GDPR, China data laws, government mandates
  • Custom integration needs — Embed in proprietary platforms, specialized workflows

Includes: Enterprise CLI, Docker/Kubernetes orchestration, RBAC, audit logging, and dedicated support.

Contact sales for assessment and pricing →

Other Requirements? Need white-label deployment or custom integration? Contact our enterprise team →