Security

Zero-Knowledge Architecture

Mantrix is built on a single principle: your files stay private. We designed the system so Mantrix does not receive plaintext file contents or zero-knowledge decryption keys during normal storage and restore flows.

🔑

You can hold the key (zero-knowledge)

For zero-knowledge accounts, your encryption key is derived from your passphrase on your device and is not sent to Mantrix.

🔒

Encrypted before upload

Every file is encrypted with AES-256-GCM on your device before a single byte leaves for the network. The server receives only ciphertext.

🌐

Erasure-coded across nodes

Encrypted shards are distributed across multiple service nodes using Reed-Solomon EC16+4, so any 16 of 20 shards can reconstruct the ciphertext. Today these nodes run in a single region; geographic multi-region distribution is on our roadmap.

🚫

No plaintext file contents by design

Mantrix is designed so servers store encrypted file data, not plaintext file contents. We still process account data, billing data, logs, and encrypted metadata needed to operate the service.

How a file upload works

1

Key derivation (your device)

For zero-knowledge accounts, a 256-bit encryption key is derived from your passphrase using a memory-hard KDF and is not sent to Mantrix.

2

AES-256-GCM encryption (your device)

The file is encrypted in your browser or client app. The result is ciphertext plus an authentication tag before storage.

3

Erasure coding (server)

The ciphertext is split into 20 shards using Reed-Solomon EC 16+4. Any 16 shards can reconstruct the full ciphertext.

4

Shard distribution (server)

Shards are placed across multiple service nodes so no single node holds the complete encrypted object. These nodes currently run in one region; geographic multi-region distribution is planned.

5

Download & decrypt (your device)

On download, 16+ shards are retrieved and assembled into ciphertext, then decrypted locally using your key. Integrity is verified by the GCM authentication tag.

What Mantrix is designed not to do

The items below describe Zero-Knowledge accounts. Standard (managed-key) accounts are the default and allow Mantrix to recover or decrypt your contents when you ask or when legally required.

Read or scan plaintext file content
Recover your files without your passphrase
Provide plaintext file contents or keys we do not possess
Use your file content for advertising or AI training
Use file contents for advertising
Identify what is inside an encrypted file

For Zero-Knowledge accounts these are enforced by the encryption design, because Mantrix does not hold your key. Standard (managed-key) accounts trade some of this protection for key recovery and convenience: Mantrix holds the key and can be compelled by law to decrypt. Choose Zero-Knowledge in settings if you need the stronger guarantee.

Security FAQ

What encryption algorithm does Mantrix use?

AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode). This provides both confidentiality and authenticated integrity — any tampering with the ciphertext is detected on decryption.

Where is the encryption key stored?

For zero-knowledge accounts, the key is derived client-side from your passphrase and is not transmitted to Mantrix servers. If you lose your passphrase and no recovery method exists, your data may be permanently inaccessible.

What is EC 16+4 erasure coding?

Reed-Solomon erasure coding splits each encrypted file into 20 shards (16 data + 4 parity). Your file can be reconstructed from any 16 of the 20 shards, subject to account status and service availability.

What happens if Mantrix receives a law enforcement request?

We can provide encrypted shards, account metadata, and readable file metadata such as names and folder structure. For Zero-Knowledge accounts we cannot provide decrypted content because we do not hold the key. For Standard (managed-key) accounts we may be compelled to produce decrypted content. Our policy is published in the Law Enforcement and Transparency pages.

Has Mantrix been audited?

A formal third-party security audit is planned for Phase 2. Our architecture documentation, threat model, and source code are available for review. We publish our legal response policy publicly.

What data does Mantrix store about me?

Account data (email, billing records, storage usage metrics), encrypted file shards, and file metadata such as file and folder names, sizes, types, and your folder structure, which are stored in readable form to operate the service. File contents are stored encrypted; for Zero-Knowledge accounts Mantrix cannot decrypt them, and for Standard accounts Mantrix does not read them for advertising, profiling, or model training. See the Privacy Policy for the complete data inventory.

Privacy Policy · Transparency Report · Acceptable Use · ภาษาไทย

Try it free — 30 days, no card

Upload your first batch, test a restore, and choose Zero-Knowledge if you want to be the only one who can decrypt. No credit card required.

Start Free Trial