Storage Modes

Choose between encrypted and plain storage modes, with three encryption algorithms to fit your use case.

πŸ“‚ Storage Modes

MothrBox offers flexible storage modes to match your security and performance requirements. Choose encrypted mode with one of three military-grade algorithms, or use plain mode for public data.

πŸ” Encrypted Mode

Store data with end-to-end encryption before it leaves your machine. Choose from three battle-tested algorithms:

AES-256-GCM (Default)

Best for: General purpose, compliance requirements, large files

./mothrbox encrypt confidential.pdf "SecurePassword2024"
./mothrbox decrypt <blob-id> recovered.pdf "SecurePassword2024"

Features:

  • βœ… Hardware-accelerated on Intel/AMD (AES-NI)
  • βœ… Industry standard (Signal, WhatsApp, 1Password)
  • βœ… NIST approved, FIPS 140-2 compliant
  • βœ… Password-based authentication
  • βœ… PBKDF2 key derivation (600,000 iterations)

Use Cases:

  • Legal documents and contracts
  • Healthcare records (HIPAA-compliant)
  • Financial data and invoices
  • Corporate confidential documents
  • General-purpose secure storage

ChaCha20-Poly1305

Best for: Mobile devices, ARM processors, IoT devices

./mothrbox chacha-encrypt video.mp4 "MobilePass123"
./mothrbox chacha-decrypt <blob-id> video.mp4 "MobilePass123"

Features:

  • βœ… Optimized for ARM/mobile processors
  • βœ… Faster than AES without hardware acceleration
  • βœ… Used in WireGuard, TLS 1.3
  • βœ… Password-based authentication
  • βœ… Constant-time implementation (timing attack resistant)

Use Cases:

  • Mobile photo/video backups
  • IoT sensor data storage
  • Raspberry Pi applications
  • Mobile app encrypted databases
  • Performance-critical applications on ARM

ECC (Elliptic Curve Cryptography)

Best for: Secure sharing without password exchange, multi-recipient scenarios

# Generate keys (one-time)
./mothrbox keygen

# Encrypt with recipient's public key (NO PASSWORD!)
./mothrbox ecc-encrypt document.pdf recipient_public.key

# Decrypt with private key
./mothrbox ecc-decrypt <blob-id> document.pdf your_private.key

Features:

  • βœ… NIST P-256 elliptic curve (NSA Suite B approved)
  • βœ… No password sharing required
  • βœ… Ephemeral ECDH (perfect forward secrecy)
  • βœ… Hybrid encryption (ECC + AES-256-GCM internally)
  • βœ… Key-based authentication

Use Cases:

  • Secure document sharing across teams
  • Multi-recipient encryption (encrypt once per recipient)
  • Whistleblower protection systems
  • Academic research data sharing
  • Enterprise key management scenarios
  • Token-gated content systems

πŸ“ Plain Mode

Best for: Public data, media delivery, open-access content

Store data without encryption when confidentiality is not required. Ideal for:

  • Public media files (images, videos)
  • Open-source project assets
  • Public documentation
  • Non-sensitive metadata
  • Content delivery networks (CDN-style usage)
# Upload without encryption (coming soon in CLI)
./mothrbox upload public_data.json

# Or use direct Walrus client
docker exec mothrbox_system bash -c "
  deno run -A --env-file=mothrbox_ts/.env \
  mothrbox_ts/src/walrus-cli.ts upload /app/data/public_file.jpg
"

⚠️ Warning: Plain mode stores data unencrypted. Anyone with the blob ID can access the content. Only use for truly public data.

Comparison Table

FeatureAES-256-GCMChaCha20-Poly1305ECC P-256Plain Mode
Encryptionβœ… Yesβœ… Yesβœ… Yes❌ No
SpeedVery Fast (HW)Fast (SW)ModerateFastest
Hardware Accelβœ… x86/x64❌ No❌ NoN/A
AuthenticationPasswordPasswordKey-basedNone
Key SharingPassword requiredPassword requiredPublic key onlyPublic blob ID
Multi-RecipientRe-encrypt eachRe-encrypt eachβœ… EasyN/A
Best PlatformDesktop/ServerMobile/ARMAnyAny
Use CaseGeneral purposePerformanceSharingPublic data

Choosing the Right Mode

Use Encrypted Mode When:

  • βœ… Data contains personal information (PII)
  • βœ… Compliance required (HIPAA, GDPR, SOC 2)
  • βœ… Confidential business documents
  • βœ… Financial or legal records
  • βœ… Medical or identity information
  • βœ… Trade secrets or intellectual property
  • βœ… Private communications
  • βœ… Any sensitive information

Use Plain Mode When:

  • βœ… Content is already public
  • βœ… Fast delivery is critical
  • βœ… No privacy concerns
  • βœ… Open-source project files
  • βœ… Public media assets
  • βœ… Non-sensitive metadata

Algorithm Selection Guide

Choose AES-256-GCM if:

  • Running on desktop/server with Intel or AMD processor
  • Need maximum compliance (NIST, FIPS)
  • Default choice for most users
  • Large files benefit from hardware acceleration

Choose ChaCha20-Poly1305 if:

  • Running on mobile devices (iOS, Android)
  • Using ARM processors (Raspberry Pi, Apple Silicon)
  • IoT devices without AES hardware
  • Performance matters and no hardware acceleration available

Choose ECC if:

  • Sharing files with multiple recipients
  • Want to avoid password exchange
  • Need public key infrastructure (PKI)
  • Enterprise key management
  • Long-term storage with key rotation

Choose Plain Mode if:

  • Content is intentionally public
  • No security concerns
  • Maximum speed required

Security Considerations

For Password-Based Modes (AES, ChaCha20):

Strong Passwords:

# Bad
./mothrbox encrypt file.pdf "password123"

# Good
./mothrbox encrypt file.pdf "Tr0ng!P@ssw0rd#2024$WithMixedCase"

# Best - generate random
PASSWORD=$(openssl rand -base64 32)
./mothrbox encrypt file.pdf "$PASSWORD"

Password Management:

  • βœ… Use unique passwords per file
  • βœ… Store in password manager (1Password, Bitwarden)
  • βœ… Never share password with blob ID in same channel
  • βœ… Write critical passwords in physical safe

Password Sharing:

# Channel 1 (Email/Slack): Share blob ID
# Channel 2 (Phone/Signal): Share password

For Key-Based Mode (ECC):

Private Key Protection:

  • βœ… NEVER share private keys
  • βœ… Store encrypted at rest
  • βœ… Back up to secure location (encrypted USB, hardware wallet)
  • βœ… Use different key pairs for different purposes
  • βœ… Rotate keys periodically

Public Key Sharing:

  • βœ… Share freely via email, GitHub, websites
  • βœ… Public keys cannot decrypt - safe to distribute
  • βœ… Consider key directory service for teams

Key Storage Best Practices:

# Encrypt private key at rest
gpg --symmetric --cipher-algo AES256 private.key

# Store in secure location
chmod 600 private.key
mv private.key ~/.ssh/mothrbox_private.key

# Back up encrypted
cp private.key.gpg /path/to/encrypted/backup/

For Plain Mode:

Remember:

  • ❌ No encryption means anyone with blob ID can access
  • ❌ Data visible on Walrus network
  • ❌ Cannot be "made private" later
  • βœ… Only use for truly public content

Migration Between Modes

Encrypted to Plain (Decrypt and Re-upload)

# Download and decrypt
./mothrbox decrypt <encrypted-blob-id> file.pdf "Password123"

# Re-upload as plain (if you really want to)
# Note: Use direct Walrus client for plain mode

⚠️ Warning: Once encrypted data is stored as plain, it cannot be "unshared". Only do this if content is truly meant to be public.

Plain to Encrypted (Download and Encrypt)

# Download plain file
docker exec mothrbox_system bash -c "
  deno run -A --env-file=mothrbox_ts/.env \
  mothrbox_ts/src/walrus-cli.ts download <plain-blob-id> /app/data/file.pdf
"

# Encrypt and re-upload
./mothrbox encrypt data/file.pdf "NewPassword123"

# Delete plain blob (optional, if you control it)

Between Encryption Algorithms

# Download with one algorithm
./mothrbox decrypt <aes-blob-id> file.pdf "AESPassword"

# Re-encrypt with another
./mothrbox chacha-encrypt data/file.pdf "ChaChaPassword"

# Or switch to ECC
./mothrbox ecc-encrypt data/file.pdf recipient_public.key

Performance Characteristics

Encryption/Decryption Speed

Algorithm1MB File100MB File1GB File
AES-256-GCM*~2ms~200ms~2s
ChaCha20~2.5ms~250ms~2.5s
ECC~20ms~2s~20s
Plain0ms0ms0ms

*With AES-NI hardware acceleration

Storage Overhead

ModeOverhead per File
AES-256-GCM+28 bytes
ChaCha20-Poly1305+44 bytes
ECC P-256+65 bytes
Plain0 bytes

Compliance & Standards

AES-256-GCM

  • βœ… NIST FIPS 140-2 validated
  • βœ… PCI DSS compliant
  • βœ… HIPAA compliant
  • βœ… GDPR compliant
  • βœ… SOC 2 Type II approved

ChaCha20-Poly1305

  • βœ… IETF RFC 8439 standardized
  • βœ… Modern cryptography approved
  • βœ… Used in WireGuard VPN
  • βœ… TLS 1.3 cipher suite

ECC P-256

  • βœ… NIST approved curve
  • βœ… NSA Suite B approved for TOP SECRET
  • βœ… FIPS 186-4 compliant
  • βœ… Used in Bitcoin, Ethereum

Examples by Use Case

Healthcare (HIPAA Compliance)

# Use AES-256-GCM for compliance
./mothrbox encrypt patient_records.pdf "MedicalPass2024"

Mobile App Backups

# Use ChaCha20 for better mobile performance
./mothrbox chacha-encrypt app_database.db "AppBackup2024"

# Use ECC to avoid password exchange
./mothrbox keygen  # Client does this
./mothrbox ecc-encrypt contract.pdf client_public.key
# Share blob ID via email - client decrypts with their key

Public Blog Assets

# Use plain mode for public images
# Direct Walrus upload (no encryption)
docker exec mothrbox_system bash -c "
  deno run -A --env-file=mothrbox_ts/.env \
  mothrbox_ts/src/walrus-cli.ts upload /app/data/blog_image.jpg
"

Next Steps

πŸ’‘ Best Practice: Default to encrypted mode unless you have a specific reason to use plain mode. When in doubt, encrypt! πŸ”’