PRIVATE.ME · Technical White Paper

VaultDB: Encrypted Database with Split Storage

Database breaches expose entire tables of sensitive records. Encryption at rest still gives the database server full access to plaintext during query execution. VaultDB provides row-level XorIDA splitting across multiple independent storage backends — no single backend ever holds enough data to reconstruct any record. Information-theoretic security by construction.

v0.1.0 Building block #7 K-of-N threshold 0 npm deps HMAC verified Pluggable backends

Section 01

Executive Summary

VaultDB transforms traditional database storage into a threshold-protected distributed system. Each record is serialized, padded, HMAC-signed, and split via XorIDA threshold sharing across independent storage backends. Reconstruction requires a configurable K-of-N threshold and passes cryptographic integrity verification before returning data.

Three simple operations cover all use cases: put() splits a record and distributes shares across all configured backends. get() fetches shares, reconstructs, verifies HMAC, and returns the original record. delete() removes all shares from every backend. The threshold parameter determines fault tolerance — a 2-of-3 configuration survives any single backend failure or compromise.

No single backend ever holds reconstructible data. Each backend stores exactly one share; threshold cooperation is required to read any record. An attacker who compromises fewer than K backends learns zero information about the original data — not computationally hard to break, but mathematically impossible.

Zero configuration out of the box. Zero npm runtime dependencies. Works with any storage backend implementing the simple StorageBackend interface: S3, Google Cloud Storage, Azure Blob, local filesystem, MinIO, or in-memory for testing.

Section 02

The Problem

Database breaches are catastrophic single-point failures. One compromised server, one stolen backup, one insider with admin access — and entire tables of sensitive records are exposed. Encryption at rest provides no protection during query execution when the database server must decrypt data to process it.

Traditional encryption at rest fails during operation. AES-256 encryption protects data on disk, but the database server holds the decryption key and processes plaintext in memory. An attacker who gains server access via SQL injection, compromised credentials, or insider threat sees everything.

Database servers are high-value targets. A single PostgreSQL instance, MongoDB cluster, or MySQL server holds complete datasets. The 2017 Equifax breach exposed 147 million complete credit records from a single vulnerability. The 2021 Ubiquiti breach leaked customer data from compromised AWS instances.

Backup theft is a silent attack vector. Database backups often lack the same security controls as production systems. An attacker who steals a backup file gains offline access to decrypt data at leisure without detection.

Multi-region replication multiplies exposure. Read replicas, disaster recovery instances, and analytics databases each create additional copies of sensitive data. Every replica is another potential breach point.

Property	Encryption at Rest	Application-Level Crypto	VaultDB
Server sees plaintext	Yes	Yes (app tier)	Never
Single breach impact	Full dataset	Full dataset	Zero records
Backup theft risk	High	High	No reconstructible data
Insider threat	Admin = full access	Admin = full access	K backends required
Fault tolerance	Replication required	Replication required	N-K backends can fail
Quantum resistance	AES-256 (strong)	AES-256 (strong)	Information-theoretic
Compliance proof	Policy-based	Policy-based	Mathematical guarantee

CRITICAL INSIGHT

Encryption at rest protects data from physical disk theft but provides zero protection from logical attacks (SQL injection, stolen credentials, compromised admin accounts). VaultDB protects against both physical and logical attacks by ensuring no single system holds reconstructible data.

Section 03

Real-World Use Cases

Six scenarios where VaultDB transforms single-point database storage into threshold-protected distributed systems.

🏥

Healthcare / SaaS

PHI Record Storage

Medical records split across AWS, GCP, and Azure. HIPAA compliance by mathematical guarantee. Any single cloud breach exposes zero patient data. 2-of-3 threshold survives cloud provider outage.

2-of-3 threshold + HIPAA compliance

💳

Finance

PCI Customer Data

Payment card data distributed across isolated environments. PCI DSS Requirement 3.4 satisfied cryptographically. Insider threat requires compromising multiple segregated systems simultaneously.

Geographic distribution + PCI DSS

🔒

Enterprise

Employee PII Database

SSN, salary, performance data split across on-prem + cloud backends. GDPR Article 32 technical measures demonstrated mathematically. HR system compromise exposes no complete records.

Hybrid cloud + GDPR compliance

🏛

Government

Classified Data Storage

Split across SIPRNET, JWICS, and air-gapped systems. Information-theoretic security exceeds AES-256 — no computational assumptions, quantum-proof by construction. Zero-trust architecture enforced cryptographically.

3-of-5 threshold + IL5/IL6 compliance

⚖

Legal

Attorney-Client Communications

Privileged communications distributed across law firm systems and external backup. Single breach cannot expose attorney work product. Ethical wall enforcement via separate backend control.

ABA Model Rule 1.1(c) compliance

📊

Research

Clinical Trial Data

Patient outcomes split across university, sponsor, and CRO databases. Blind preserved mathematically — no single entity can unblind without threshold cooperation. FDA 21 CFR Part 11 audit trail.

Multi-party threshold + FDA compliance

Section 04

How It Works

VaultDB implements a six-step pipeline for write operations and a five-step reconstruction pipeline for reads. Each step provides cryptographic guarantees.

Write Pipeline (put)

Read Pipeline (get)

HMAC VERIFICATION

HMAC-SHA256 verification happens BEFORE reconstruction output is returned. If verification fails, the data is rejected immediately — no plaintext is ever exposed. This guards against tampering, backend corruption, and Byzantine faults.

Section 05

Integration

VaultDB provides a minimal API surface: three core operations and a pluggable backend interface. Integration takes less than 50 lines of code.

Basic setup (2-of-3 threshold)

import { VaultDB, MemoryBackend } from '@private.me/vaultdb';

// Create 3 independent storage backends
const backends = [
  new MemoryBackend('aws', 'AWS S3'),
  new MemoryBackend('gcp', 'Google Cloud'),
  new MemoryBackend('azure', 'Azure Blob'),
];

// 2-of-3: any 2 backends can reconstruct
const db = new VaultDB({ backends, threshold: 2 });

// Store a record -- splits across all 3
await db.put({
  id: 'user-42',
  data: { name: 'Alice', ssn: '***-**-****' }
});

// Retrieve -- reconstructs from threshold shares
const result = await db.get('user-42');
if (result.ok) {
  console.log(result.value.data); // { name: 'Alice', ... }
}

Storage Backend Interface

Implement this 5-method interface to connect any cloud provider or custom storage system:

StorageBackend interface

interface StorageBackend {
  readonly id: string;      // Backend identifier
  readonly name: string;    // Human-readable name

  put(key: string, data: Uint8Array): Promise<void>;
  get(key: string): Promise<Uint8Array | null>;
  delete(key: string): Promise<void>;
  list(): Promise<string[]>;
}

Example: AWS S3 Backend

S3 backend implementation

import { S3Client, PutObjectCommand, GetObjectCommand } from '@aws-sdk/client-s3';
import type { StorageBackend } from '@private.me/vaultdb';

class S3Backend implements StorageBackend {
  readonly id = 'aws-s3';
  readonly name = 'AWS S3 us-west-2';
  private client: S3Client;

  constructor(private bucket: string) {
    this.client = new S3Client({ region: 'us-west-2' });
  }

  async put(key: string, data: Uint8Array): Promise<void> {
    await this.client.send(new PutObjectCommand({
      Bucket: this.bucket,
      Key: key,
      Body: data,
    }));
  }

  async get(key: string): Promise<Uint8Array | null> {
    try {
      const response = await this.client.send(new GetObjectCommand({
        Bucket: this.bucket,
        Key: key,
      }));
      return new Uint8Array(await response.Body.transformToByteArray());
    } catch {
      return null;
    }
  }

  // ... delete, list implementations
}

Section 06

Security

VaultDB provides information-theoretic security guarantees. An attacker with fewer than K backends learns zero information about any record — not computationally hard, but mathematically impossible.

Threat Model

Attack Vector	Protection Mechanism	Guarantee
Single backend compromise	XorIDA threshold sharing	Zero records reconstructible
Backup file theft	No complete data in any backup	K backups required
Insider with admin access	Backend isolation	K systems must be compromised
Share tampering	HMAC-SHA256 verification	Tampering detected before output
Quantum computer attack	Information-theoretic security	No computational assumptions
Backend correlation	Independent storage systems	No shared infrastructure

Cryptographic Guarantees

100%

Information-theoretic

Computational assumptions

K-of-N

Threshold required

HMAC

SHA-256 verified

INFORMATION-THEORETIC SECURITY

XorIDA threshold sharing over GF(2) provides unconditional security — an attacker with K-1 shares has exactly the same information as an attacker with zero shares. No amount of computation can break this guarantee. Even a quantum computer with unlimited power cannot reconstruct data from insufficient shares.

Security Best Practices

Geographic Distribution

Recommended

Place backends in different regions

Use separate cloud providers

Consider regulatory boundaries

Air-gap one backend if possible

Administrative Separation

Critical

Different admin credentials per backend

Separate IAM policies and roles

Independent monitoring systems

No shared logging infrastructure

Section 07

Performance Benchmarks

VaultDB operations complete in milliseconds for typical record sizes. Performance scales linearly with record size and number of backends.

Put Operation (2-of-3 threshold)

Record Size	Serialize	Split	Backend Write (3x)	Total
1 KB	~0.2ms	~0.8ms	~3ms (1ms each)	~4ms
10 KB	~0.5ms	~2ms	~6ms (2ms each)	~8.5ms
100 KB	~1.5ms	~12ms	~15ms (5ms each)	~28.5ms
1 MB	~8ms	~33ms	~90ms (30ms each)	~131ms

Get Operation (2-of-3 threshold)

Record Size	Backend Read (2x)	Reconstruct	HMAC Verify	Total
1 KB	~2ms (1ms each)	~0.8ms	~0.3ms	~3.1ms
10 KB	~4ms (2ms each)	~2ms	~0.5ms	~6.5ms
100 KB	~10ms (5ms each)	~12ms	~1ms	~23ms
1 MB	~60ms (30ms each)	~33ms	~4ms	~97ms

PERFORMANCE NOTES

Backend I/O dominates total latency. In-memory backends complete in microseconds. Network-based backends (S3, GCS, Azure) add 10-100ms per operation depending on region and payload size. For production deployments, use regional backends close to application servers.

Section 08

Honest Limitations

VaultDB is not a full-featured database. It provides secure storage and retrieval, not query engines, indexing, or relational operations.

What VaultDB Does Not Provide

Limitation	Why	Workaround
SQL queries	Records split across backends	Use encrypted metadata field for indexing
Full-text search	No plaintext available to index	Maintain separate encrypted search index
Range queries	No ordering without reconstruction	Store sortable metadata in cleartext
Transactions	No ACID guarantees across backends	Implement application-level compensation
Foreign keys	No relational structure	Store relationships in metadata
Aggregations (COUNT, SUM)	Requires reconstruction of all records	Maintain counters in separate system

When NOT to Use VaultDB

Analytics Workloads

Requires scanning many records

Each record incurs reconstruction cost

Use encrypted analytics warehouse instead

High-Write Throughput

Every write hits N backends

Latency multiplies with backend count

Consider batching or async writes

Complex Joins

No query planner across backends

Join operations require full reconstruction

Pre-compute join results if possible

Real-Time Search

No indexed search without plaintext

Reconstruction too slow for autocomplete

Use searchable encryption schemes

DESIGN TRADEOFF

VaultDB prioritizes security over query performance. Every operation requires reconstructing data from K backends. This is the fundamental tradeoff for information-theoretic security — no shortcuts exist. If query performance matters more than breach prevention, traditional encrypted databases may be more appropriate.

Section 09

Storage Backends

VaultDB supports any storage system implementing the simple StorageBackend interface. Production deployments typically use cloud object stores with geographic distribution.

Supported Backend Types

☁

Cloud Object Storage

AWS S3 / GCS / Azure Blob

Primary production backend. Durable, scalable, multi-region. Each cloud provider gets one share for isolation.

Recommended for production

💾

Self-Hosted

MinIO / Ceph / Local Filesystem

Air-gapped deployments. Complete control over infrastructure. Useful for government/defense use cases requiring physical isolation.

Air-gap compatible

📊

Database-Backed

PostgreSQL / MongoDB / Redis

Embed shares in existing database as encrypted blobs. Simplifies deployment when cloud object stores unavailable.

Integration pattern

🧪

Testing

MemoryBackend

In-memory Map-based storage. Zero dependencies. Perfect for unit tests and local development.

Included in package

Multi-Cloud Distribution Pattern

Example: 2-of-3 across AWS, GCP, Azure

import { VaultDB } from '@private.me/vaultdb';
import { S3Backend } from './backends/s3';
import { GCSBackend } from './backends/gcs';
import { AzureBackend } from './backends/azure';

const db = new VaultDB({
  backends: [
    new S3Backend('my-bucket-us-west-2'),
    new GCSBackend('my-bucket-europe-west1'),
    new AzureBackend('my-container-asia-east1'),
  ],
  threshold: 2,
});

// Now any single cloud provider breach exposes zero records

Section 10

Deployment Patterns

VaultDB works in any JavaScript runtime with Web Crypto API support: Node.js, Deno, Bun, Cloudflare Workers, or browser contexts.

Node.js Server (Recommended)

Express API with VaultDB

import express from 'express';
import { VaultDB } from '@private.me/vaultdb';
import { S3Backend, GCSBackend, AzureBackend } from './backends';

const db = new VaultDB({
  backends: [
    new S3Backend(process.env.AWS_BUCKET),
    new GCSBackend(process.env.GCP_BUCKET),
    new AzureBackend(process.env.AZURE_CONTAINER),
  ],
  threshold: 2,
});

const app = express();
app.use(express.json());

app.post('/records', async (req, res) => {
  const result = await db.put(req.body);
  if (result.ok) {
    res.status(201).send({ success: true });
  } else {
    res.status(500).send({ error: result.error });
  }
});

app.get('/records/:id', async (req, res) => {
  const result = await db.get(req.params.id);
  if (result.ok) {
    res.json(result.value);
  } else {
    res.status(404).send({ error: result.error });
  }
});

app.listen(3000);

Cloudflare Workers (Serverless)

Cloudflare Workers deployment

import { VaultDB } from '@private.me/vaultdb';
import { R2Backend } from './backends/r2';

export default {
  async fetch(request, env) {
    const db = new VaultDB({
      backends: [
        new R2Backend(env.R2_BUCKET_US),
        new R2Backend(env.R2_BUCKET_EU),
        new R2Backend(env.R2_BUCKET_ASIA),
      ],
      threshold: 2,
    });

    const url = new URL(request.url);
    if (url.pathname.startsWith('/records/')) {
      const id = url.pathname.split('/')[2];
      const result = await db.get(id);
      return Response.json(result);
    }
  }
};

Section 11

Enterprise Deployment

Enterprise deployments add administrative backends, audit logging, and compliance reporting while maintaining the same security guarantees.

Enterprise Features

Audit Trail

HMAC-chained

Every put/get/delete logged

Tamper-evident append-only log

Integration with SIEM systems

Compliance reporting (SOC 2, ISO 27001)

Admin Backend

Recovery

4th backend for emergency access

Break-glass procedures

Multi-party authorization required

Full audit trail of admin access

Geographic Compliance

Regional

GDPR: EU backends only for EU data

Data residency enforcement

Per-region threshold configuration

Automated compliance reporting

Backup & DR

Resilience

Shares backed up independently

Cross-region disaster recovery

RTO < 15 minutes with K healthy backends

Point-in-time recovery per backend

Compliance Alignment

Framework	Requirement	VaultDB Solution
HIPAA	PHI encryption at rest	XorIDA split + HMAC verification
PCI DSS	Requirement 3.4 (unreadable cardholder data)	No single backend holds reconstructible data
GDPR	Article 32 (technical measures)	Information-theoretic security + geographic isolation
SOC 2	CC6.1 (logical access)	K-of-N threshold enforces separation of duties
ISO 27001	A.10.1.1 (cryptographic controls)	Documented split-storage architecture
FedRAMP	SC-28 (protection of data at rest)	FIPS 140-2 validated HMAC + threshold sharing

Section 12

Developer Experience

VaultDB uses Result-based error handling and provides detailed error codes for debugging and operational monitoring.

Error Handling

Result pattern with error codes

const result = await db.get('user-42');

if (result.ok) {
  console.log('Record:', result.value.data);
} else {
  switch (result.error.code) {
    case 'RECORD_NOT_FOUND':
      console.log('Record does not exist');
      break;
    case 'INSUFFICIENT_SHARES':
      console.error('Not enough backends available');
      break;
    case 'HMAC_FAILED':
      console.error('Data integrity check failed');
      break;
    default:
      console.error('Unexpected error:', result.error);
  }
}

Error Codes

Code	Category	When
INVALID_CONFIG	Configuration	Fewer than 2 backends, threshold < 2, or threshold > backend count
SPLIT_FAILED	Write	XorIDA splitting or serialization failed during put()
HMAC_FAILED	Security	HMAC verification failed during get() — possible tampering
RECONSTRUCT_FAILED	Read	XorIDA reconstruction or deserialization failed during get()
INSUFFICIENT_SHARES	Availability	Fewer shares available than configured threshold
RECORD_NOT_FOUND	Not Found	No shares found for the given record ID
BACKEND_ERROR	Infrastructure	Storage backend read, write, or delete operation failed

OPERATIONAL MONITORING

Monitor INSUFFICIENT_SHARES errors to detect backend outages before threshold is breached. Alert on HMAC_FAILED as potential security incidents requiring investigation.

Deployment Options

🌐

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

Zero infrastructure setup
Automatic updates
99.9% uptime SLA
Pay per use

View Pricing →

📦

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

npm install @private.me/vaultdb
TypeScript/JavaScript SDK
Full source access
Enterprise support available

Get Started →

🏢

On-Premise Enterprise

Self-hosted infrastructure for air-gapped, compliance, or data residency requirements.

Complete data sovereignty
Air-gap capable
Docker + Kubernetes ready
RBAC + audit logs included

Enterprise CLI →