private.me
AWS COMPATIBILITY

AWS Compatible

Private.Me ACIs integrate seamlessly with AWS services, enhancing security without replacing existing infrastructure. Deploy threshold cryptography alongside S3, Lambda, EC2, and RDS while maintaining full AWS compatibility.

Better Together

Private.Me does not replace AWS. It enhances it. AWS provides battle-tested cloud infrastructure — compute, storage, networking, databases. Private.Me adds information-theoretic security through threshold secret sharing.

The result: AWS scalability and reliability combined with cryptographic security that no key compromise can break.

Why Not Just Use AWS?

AWS KMS, Secrets Manager, and encryption-at-rest provide strong security for most workloads. However, they all rely on key management. If an attacker obtains the key — through credential theft, misconfiguration, or insider access — encrypted data becomes plaintext.

Private.Me eliminates keys entirely. XorIDA threshold sharing over GF(2) provides information-theoretic security: even if an attacker compromises one storage location, they gain zero information about the plaintext.

AWS Provides Scale, Private.Me Provides Security

Use AWS for what it does best: globally distributed infrastructure, autoscaling, managed databases, serverless compute. Use Private.Me for what AWS cannot do: zero-key cryptography and threshold-based access control that survives key compromise.

The Security Gap AWS Can't Close

AWS encryption assumes key safety. If keys are compromised — through leaked credentials, IAM misconfiguration, or insider threat — all encrypted data becomes readable. Private.Me closes this gap by eliminating keys entirely.

Threat AWS Defense Private.Me Defense
Stolen IAM Credentials KMS key policies (if configured correctly) No keys to steal. Shares are useless individually.
S3 Bucket Misconfiguration Bucket policies, ACLs, Block Public Access Even if bucket is public, shares reveal nothing without threshold.
RDS Snapshot Exposure Encryption-at-rest (requires key access) Snapshots contain shares only. No reconstruction without threshold.
Lambda Environment Variable Leak Encrypt with KMS (key must be accessible) Store shares in env vars. No single Lambda has threshold access.
Insider Threat IAM least privilege, audit logs Insider with root access still cannot reconstruct without threshold shares.
CloudTrail Deletion S3 Object Lock, cross-account logging Audit logs stored as threshold shares. Deletion requires compromising multiple accounts.

AWS + Private.Me = Defense in Depth

AWS provides perimeter security: IAM, security groups, encryption-at-rest. Private.Me provides data-layer security: even if the perimeter is breached, threshold cryptography ensures data remains confidential.

AWS Service Upgrade Map

Private.Me ACIs integrate with AWS services to add threshold security without migration or code rewrites. Below is a mapping of AWS services to compatible Private.Me ACIs.

AWS Service Private.Me ACI Security Upgrade
S3 xStore Store shares across buckets. No single bucket contains plaintext.
Lambda xCompute Threshold computation across multiple Lambda invocations. No single function sees plaintext.
KMS xLock Replace key-based encryption with threshold sharing. No keys to compromise.
Secrets Manager xPass Store secrets as threshold shares. No single retrieval exposes the secret.
EC2 xGate Threshold-based SSH access. No single key grants full access.
RDS xStore Encrypt database columns as threshold shares. Breach of DB does not leak plaintext.
ECS/EKS xLink Identity-based container authentication. No API keys in environment variables.
SQS/SNS xChange End-to-end encrypted messaging with threshold decryption. Queue breach reveals nothing.
CloudTrail xProve Immutable audit logs via threshold sharing. Logs cannot be tampered with or deleted.
API Gateway xLink Identity-based API authentication. No JWT secrets or API keys.

Deployment Architecture

Private.Me ACIs deploy alongside AWS services. Below are three common architectures for integrating Private.Me with AWS.

Pattern 1: Threshold S3 Storage

Split sensitive data into shares and store across multiple S3 buckets in different regions or accounts. Even if one bucket is compromised, attackers gain zero information.

  • Application: Uses xStore client to split data into shares.
  • Share 1: Stored in us-east-1 bucket (Account A).
  • Share 2: Stored in eu-west-1 bucket (Account B).
  • Share 3: Stored in ap-southeast-1 bucket (Account C).
  • Reconstruction: Requires access to at least 2 shares (configurable threshold).

Attack resistance: Breach of one AWS account or region reveals nothing. Attacker must compromise at least 2 accounts simultaneously.

Pattern 2: Threshold Lambda Compute

Distribute computation across multiple Lambda functions. No single function has access to the complete plaintext.

  • Input: Split into shares via xCompute.
  • Lambda 1: Processes Share 1 (partial computation).
  • Lambda 2: Processes Share 2 (partial computation).
  • Lambda 3: Processes Share 3 (partial computation).
  • Aggregator: Combines results to produce final output.

Attack resistance: Compromising one Lambda function reveals only partial computation. Attacker must compromise threshold Lambdas to reconstruct the plaintext.

Pattern 3: Cross-Region Secrets

Store secrets (API keys, database passwords, certificates) as threshold shares across AWS regions. No single region contains the complete secret.

  • Secret: Split into shares via xPass.
  • us-east-1: Stores Share 1 in Secrets Manager.
  • eu-west-1: Stores Share 2 in Secrets Manager.
  • ap-southeast-1: Stores Share 3 in Secrets Manager.
  • Application: Fetches shares from multiple regions, reconstructs secret in memory (never persisted).

Attack resistance: Regional outage or breach does not expose the secret. Attacker must compromise multiple regions to reconstruct.

Code Examples

Below are code examples showing how to integrate Private.Me ACIs with AWS SDK.

Example 1: Threshold S3 Storage (xStore)

Store a file across three S3 buckets using 2-of-3 threshold sharing. 

import { S3Client, PutObjectCommand } from '@aws-sdk/client-s3';
import { connect } from '@private.me/agent-sdk';

const s3 = new S3Client({ region: 'us-east-1' });
const xstore = await connect('xstore');

// Split file into shares
const file = await fetch('/path/to/sensitive.pdf').then(r => r.arrayBuffer());
const { shares } = await xstore.value.agent.split({
  payload: new Uint8Array(file),
  threshold: 2,
  total: 3
});

// Store shares in different buckets
await s3.send(new PutObjectCommand({
  Bucket: 'bucket-us-east-1',
  Key: 'share-1',
  Body: shares[0]
}));

await s3.send(new PutObjectCommand({
  Bucket: 'bucket-eu-west-1',
  Key: 'share-2',
  Body: shares[1]
}));

await s3.send(new PutObjectCommand({
  Bucket: 'bucket-ap-southeast-1',
  Key: 'share-3',
  Body: shares[2]
}));

// Reconstruction requires fetching at least 2 shares
const reconstructed = await xstore.value.agent.reconstruct({
  shares: [shares[0], shares[1]] // Any 2 shares work
});

Example 2: Threshold Secrets Manager (xPass)

Store a database password across multiple AWS Secrets Manager instances. 

import { SecretsManagerClient, CreateSecretCommand, GetSecretValueCommand } from '@aws-sdk/client-secrets-manager';
import { connect } from '@private.me/agent-sdk';

const xpass = await connect('xpass');

// Split password into shares
const { shares } = await xpass.value.agent.split({
  payload: 'SuperSecretDBPassword123!',
  threshold: 2,
  total: 3
});

// Store shares in different regions
const secretsUS = new SecretsManagerClient({ region: 'us-east-1' });
await secretsUS.send(new CreateSecretCommand({
  Name: 'db-password-share-1',
  SecretString: Buffer.from(shares[0]).toString('base64')
}));

const secretsEU = new SecretsManagerClient({ region: 'eu-west-1' });
await secretsEU.send(new CreateSecretCommand({
  Name: 'db-password-share-2',
  SecretString: Buffer.from(shares[1]).toString('base64')
}));

// Reconstruction requires fetching at least 2 shares
const share1 = await secretsUS.send(new GetSecretValueCommand({ SecretId: 'db-password-share-1' }));
const share2 = await secretsEU.send(new GetSecretValueCommand({ SecretId: 'db-password-share-2' }));

const reconstructed = await xpass.value.agent.reconstruct({
  shares: [
    Buffer.from(share1.SecretString, 'base64'),
    Buffer.from(share2.SecretString, 'base64')
  ]
});

console.log(reconstructed); // 'SuperSecretDBPassword123!'

Example 3: Identity-Based ECS Authentication (xLink)

Replace API keys with identity-based authentication for ECS containers. 

import { connect } from '@private.me/agent-sdk';

// Container 1: Payment service
const paymentsConn = await connect('payments');
const result = await paymentsConn.value.agent.send({
  to: 'did:private:abc123...', // Inventory service DID
  payload: { action: 'check-stock', sku: 'WIDGET-001' }
});

// No API keys in environment variables
// No JWT secrets to rotate
// No OAuth tokens to leak
// Identity verified via Ed25519 signatures

Security Comparison

How does AWS encryption compare to Private.Me threshold cryptography?

Aspect AWS KMS Private.Me (XorIDA)
Key Management Required (customer master keys) None (threshold sharing, no keys)
Single Point of Compromise Yes (if KMS key is accessed) No (requires threshold shares)
Quantum Resistance No (AES-256 is secure, but key exchange is not) Yes (information-theoretic security)
Insider Threat Protection Limited (admin access can decrypt) Strong (admin cannot reconstruct without threshold)
Regional Breach Resistance No (same region stores key and data) Yes (shares distributed across regions)
Compliance FIPS 140-2 validated Information-theoretic (no key escrow possible)
Performance (1MB) ~10ms (AES-256-GCM) ~33ms (XorIDA 2-of-2)

When to use AWS KMS: General-purpose encryption, integration with AWS services, FIPS compliance.

When to use Private.Me: Zero-trust architectures, insider threat protection, multi-region breach resistance, quantum-safe data protection.

AWS Marketplace

Private.Me ACIs will be available on AWS Marketplace, enabling one-click deployment and billing through your AWS account. This simplifies procurement for enterprises already using AWS.

Marketplace Benefits

  • Consolidated Billing: Pay for Private.Me ACIs through your AWS invoice.
  • One-Click Deployment: Launch ACIs via CloudFormation or Terraform.
  • EDP Credits: Apply AWS Enterprise Discount Program credits to Private.Me subscriptions.
  • Compliance Inheritance: Private.Me inherits AWS Marketplace security certifications.

Available ACIs (Planned)

  • xStore — Threshold storage for S3
  • xCompute — Threshold computation for Lambda
  • xPass — Threshold secrets for Secrets Manager
  • xLink — Identity-based authentication for ECS/EKS
  • xLock — Push-based authentication for EC2 SSH
  • xProve — Immutable audit logs for CloudTrail

Launch Timeline: Q3 2026 (subject to AWS Marketplace approval process).

AWS GovCloud Compatibility

Private.Me ACIs are architected for AWS GovCloud (US) deployment, enabling federal agencies and defense contractors to use threshold cryptography in FedRAMP and CMMC environments.

GovCloud-Specific Features

  • FIPS 140-2 Validated Modules: All cryptographic primitives (AES, HMAC, Ed25519) use FIPS-validated libraries.
  • CMMC Level 3 Support: Threshold sharing meets CUI protection requirements without key escrow.
  • Air-Gap Ready: ACIs deploy in disconnected environments via xBoot.
  • Cross-Region Resilience: Distribute shares across us-gov-west-1 and us-gov-east-1.
  • Audit Logging: Immutable audit logs via xProve meet FedRAMP continuous monitoring requirements.

Example: CMMC-Compliant S3 Storage

Store CUI (Controlled Unclassified Information) across GovCloud regions using 2-of-3 threshold sharing. 

import { S3Client, PutObjectCommand } from '@aws-sdk/client-s3';
import { connect } from '@private.me/agent-sdk';

const xstore = await connect('xstore');

// Split CUI document into shares
const { shares } = await xstore.value.agent.split({
  payload: cuiDocument,
  threshold: 2,
  total: 3
});

// Store shares in GovCloud regions
const s3West = new S3Client({ region: 'us-gov-west-1' });
await s3West.send(new PutObjectCommand({
  Bucket: 'cui-west-bucket',
  Key: 'share-1',
  Body: shares[0]
}));

const s3East = new S3Client({ region: 'us-gov-east-1' });
await s3East.send(new PutObjectCommand({
  Bucket: 'cui-east-bucket',
  Key: 'share-2',
  Body: shares[1]
}));

// Share 3 stored on-premises via xBoot (air-gap)
await writeToAirGapStorage('share-3', shares[2]);

Compliance Result: Even if an attacker compromises one GovCloud region, CUI remains protected. Reconstruction requires both GovCloud regions or one region + on-premises storage.

Get Started

Ready to integrate Private.Me ACIs with your AWS infrastructure? Follow these steps:

1. Identify High-Value Data

Determine which data requires threshold protection: customer PII, financial records, encryption keys, API secrets, audit logs.

2. Choose Compatible ACIs

Map AWS services to Private.Me ACIs using the Service Upgrade Map above. Start with one ACI (e.g., xStore for S3 or xPass for Secrets Manager).

3. Deploy Proof of Concept

Install the Private.Me agent SDK and integrate with your existing AWS SDK code: 

npm install @private.me/agent-sdk

4. Configure Threshold Policy

Decide on threshold parameters: 2-of-3 for high availability, 3-of-5 for maximum security. Distribute shares across AWS accounts, regions, or on-premises storage.

5. Measure Performance

Benchmark share splitting and reconstruction for your workload. XorIDA overhead is typically 2-4× slower than AES for small payloads, but scales better for large files (1MB = ~33ms).

6. Roll Out Production

Gradually migrate high-value data to threshold storage. Monitor via CloudWatch metrics. No downtime required — shares can be generated from existing encrypted data.

Support

Contact contact@private.me for architecture review, deployment planning, and enterprise support.

© 2026 Standard Clouds, Inc. dba PRIVATE.ME