🔐 A robust, client-side encrypted file storage solution ensuring maximum data privacy and security.
🌐 Deployed App: Project Aegis - Click here to view
Project Aegis is a cutting-edge secure file vault system developed as part of the Cyber Security Course (July-Dec 2025). This project ensures maximum privacy by performing all cryptographic operations in the browser. Files are encrypted with AES-256, integrity-protected with SHA-256, and securely stored in the backend database along with their encrypted keys — ensuring that only the rightful owner with the private RSA key can decrypt and access the data.
In today’s digital world, storing sensitive files on cloud servers poses significant privacy and security risks. Traditional storage methods often rely on server-side encryption, which can expose encryption keys or plaintext data to the server.
Project Aegis addresses this issue by providing a web-based secure file vault where all cryptographic operations — encryption, decryption, and hashing — are performed entirely on the client side (in the browser).
The system works as follows:
- The user selects a file to upload.
- A random AES-256 key is generated for the file.
- The SHA-256 digest of the file is calculated for integrity verification.
- The file content along with its hash is encrypted using AES-256-GCM.
- The AES key is encrypted using the user's RSA public key.
- The server stores only:
- The encrypted file and hash
- The encrypted AES key
To decrypt a file:
- Retrieve the encrypted file and AES key from the server.
- Decrypt the AES key using the user's RSA private key.
- Use the AES key to decrypt the file.
- Verify the file integrity using the stored SHA-256 hash.
All keys and cryptographic operations remain on the client; no keys are sent to the server. Users can generate RSA key pairs manually (converted to HEX format) or use the “Generate RSA Key Pair” option in the GUI. The public key can be stored in localStorage for convenience, but the private key must never be stored.
This approach ensures:
- Confidentiality: The server never sees plaintext files or encryption keys.
- Integrity: Files can be verified for tampering using stored SHA-256 hashes.
- Security & Availability: The system ensures Confidentiality (no plaintext files or keys are exposed), Integrity (files can be verified using SHA-256 hashes), and Availability (users can reliably access and decrypt their files anytime using their private RSA key).
- User Control: Only users with the correct private RSA key can decrypt and access their files.
By combining client-side cryptography with secure backend storage, Project Aegis provides a robust and reliable solution for confidential file storage and retrieval.
-
Client-Side Encryption/Decryption
- All cryptographic operations performed locally in the browser
- Zero-knowledge architecture - server never sees unencrypted data
- AES-256-GCM for file encryption
- RSA for key protection
-
Data Integrity Protection
- SHA-256 hash verification
- Tamper-evident storage
- Cryptographic integrity checks
-
Secure Key Management
- Client-generated AES-256 keys for each file
- RSA public/private key authentication
- No key storage on server
-
User-Friendly Interface
- Intuitive file upload/download
- Drag-and-drop support
- My Files Dashboard
- View all your uploaded encrypted files in one place
- Decrypt files directly from the dashboard using your private RSA key
- Sort files by name, size, or upload date for easy access
-
Secure Backend Storage
- Encrypted files stored in database with metadata (filename, size, hash)
- AES keys stored only in RSA-encrypted HEX format
- Strict Row-Level Security (RLS) ensures users can access only their own files
- Database policies allow only authenticated users to insert, read, and delete their files
- Integrity maintained via stored SHA-256 hash for each file
-
Frontend
- React
- TypeScript
- Tailwind CSS
- Web Crypto API (for Cryptographic Libraries)
-
Backend
- Supabase – used for database storage and authentication
- Node.js
-
Deployment
- Vercel - for frontend hosting
- Supabase Cloud – for database and authentication
- User selects a file through the web interface
- System generates a random AES-256 key
- File is hashed using SHA-256
- File + hash are encrypted using AES-256-GCM
- AES key is encrypted with user's RSA public key
- Encrypted file and encrypted AES key are stored on server
- User requests file download
- System retrieves encrypted file and AES key
- AES key is decrypted using user's RSA private key
- File is decrypted using the recovered AES key
- File integrity is verified against original hash
- File is delivered to user if verification passes
The backend uses two primary tables in Supabase to manage users and their encrypted files, with Row Level Security (RLS) enabled to ensure users can only access their own data.
usersTable: Stores user authentication information provided by Supabase Auth.filesTable: Contains metadata for each uploaded file, including the filename, size, and the encrypted content itself. Crucially, it also stores the file-specific AES key, which is itself encrypted with the user's public RSA key.
The following flowcharts illustrate the client-side cryptographic processes for file encryption and decryption.
Encryption Flowchart
Decryption Flowchart
- Clone the repository
git clone https://github.com/Hargun-Preet/Project-Aegis.git
cd Project-Aegis- Install dependencies
npm install- Set up environment variables
cp .env.example .env-
Set up Supabase Database
A. CLI Method
# First, make sure you have the Supabase CLI installed
npm install supabase --save-dev
# In your repo, initialize the Supabase project
npx supabase init
# Start the Supabase stack
npx supabase start
# Login to Supabase (you'll need to create an account at https://supabase.com)
supabase login
# Link your project to your Supabase project
supabase link --project-ref YOUR_PROJECT_REF
# YOUR_PROJECT_REF = a short unique ID in your Project URL: https://YOUR_PROJECT_REF.supabase.co
# Push the database migrations to your Supabase project
supabase db pushThis will apply all migrations from your local supabase/migrations/ folder to your Supabase project database.
B. Manual Method
If you don’t want to use the CLI, you can run the migration SQL directly:
1. Go to your project folder → open the supabase/migrations/ directory.
2. Copy the SQL migration file content.
3. Open your Supabase Dashboard → go to SQL Editor. If you dont have a project, Sign Up in Supabase and create a new project.
4. Click on the SQL Editor button at top right, you can also press CTRL + E to open it quickly.
5. Paste the SQL code.
6. Click Run to execute the migration and create the required tables in your project.- Configure your environment variables in
.env:
# Get these from your Supabase project dashboard → Project Overview → Scroll down to Project API
# Your Supabase project URL
VITE_SUPABASE_URL=your-project-url
# Your Supabase anon/public key
VITE_SUPABASE_ANON_KEY=your-anon-key- Configure Supabase Authentication Settings
By default, email confirmations are turned ON in Supabase.
This means that when a new user signs up, they must confirm their email by clicking the link sent to their inbox before they can sign in.
If you want to disable this (useful in development):
1. Go to your Supabase Dashboard.
2. Navigate to Authentication.
3. In the Configuration pane, go to Sign In / Providers.
4. Under User SignUps, toggle OFF Confirm your email.
5. Click Save to apply changes.See more about email confirmation in the "Email Verification Setup" section below.
- Start development server
npm run devBy default, Supabase requires email verification for new users. You have two options:
Option 1: Disable Email Confirmation (for development)
- Go to your Supabase Dashboard.
- Navigate to Authentication.
- In the Configuration pane, go to Sign In / Providers.
- Under User SignUps, toggle OFF Confirm your email.
- Click Save to apply changes.
Option 2: Enable Proper Email Verification (recommended for production)
- Keep email confirmations enabled in Supabase
- Set up your email templates in Authentication → Email under the Confirm signup scetion
- Configure your Site URL in Authentication → URL Configuration
- If you are pushing your code to production, you must add your website’s domain name here.
- By default, Supabase uses http://localhost:3000 in the confirmation emails.
- To fix this, go to your Supabase Dashboard → Authentication → URL Configuration → in the Site URL field, enter your website’s domain name, then save changes.
Once configured, the confirmation emails will correctly redirect users to your website instead of localhost.
- Use OpenSSL to generate your key pair:
# Generate private key
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
# Extract public key
openssl rsa -pubout -in private_key.pem -out public_key.pem- Convert keys to HEX format:
# For private key
openssl rsa -in private_key.pem -outform DER | xxd -p -c 256
# For public key
openssl rsa -pubin -in public_key.pem -outform DER | xxd -p -c 256- Input your RSA public key in HEX format in the key management section
- You can either:
- Generate your own RSA key pair using OpenSSL locally, or
- Use the “Generate RSA Key Pair” option provided in the web app.
- 💡 Note: Only the public key should be input here; never upload your private key.
- Upload files through the drag-and-drop interface
- Monitor encryption progress
- For decryption, input your RSA private key when prompted
- Download and verify decrypted files
SecureVault/
├── src/
│ ├── components/ # React components
│ ├── lib/ # Cryptographic operations
│ ├── pages/ # Application pages
│ └── types/ # TypeScript definitions
└── supabase/ # Database migrations
Group B14 Members:
 |
 |
 |
 |
 |
- Private keys should never be stored in the browser
- Always use secure channels to transfer keys
- Regularly rotate RSA key pairs
- Verify file integrity after decryption
- Use strong passwords for key protection
This project is licensed under the MIT License - see the LICENSE file for details.
- Cyber Security Course Faculty
- Special thanks to Dr. Soumyadev Maity for guidance and support
- Gratitude to the TAs and faculty team for their assistance throughout the project
- Supabase Team for Backend Infrastructure
- Web Crypto API Contributors