E2EE Architecture Whitepaper
Technical documentation of Onera's end-to-end encryption architecture
Onera E2EE Architecture Whitepaper
Version: 1.0
Date: January 2026
Authors: Onera Security Team
Abstract
Onera is a privacy-focused AI chat application that implements true end-to-end encryption (E2EE) for all user data. This whitepaper details Onera's cryptographic architecture, which ensures that sensitive information—including chat messages, API credentials, and personal notes—remains encrypted at rest and in transit, with decryption possible only on authorized user devices.
Our architecture employs a defense-in-depth approach combining:
- XSalsa20-Poly1305 for authenticated symmetric encryption
- X25519 for asymmetric key exchange and sharing
- Argon2id for memory-hard password-based key derivation
- 3-share XOR-based key sharding requiring compromise of multiple independent systems
- WebAuthn PRF for hardware-bound passkey authentication
The server operates exclusively as an encrypted blob store, never accessing plaintext user data. LLM API calls are made directly from the client to providers, bypassing Onera infrastructure entirely.
Introduction
Motivation
As AI assistants become integral to daily workflows, users increasingly share sensitive information—personal conversations, proprietary code, API credentials, and confidential business data. Traditional AI chat applications transmit and store this data in plaintext on provider servers, creating significant privacy and security risks.
Onera addresses this fundamental issue by implementing end-to-end encryption where:
- All sensitive data is encrypted client-side before transmission
- The server stores only encrypted blobs it cannot decrypt
- Decryption keys never leave the user's devices
- LLM API calls connect directly to providers, bypassing Onera servers
Design Goals
- Zero-Knowledge Server: The server cannot access plaintext user data under any circumstances
- Defense in Depth: Multiple independent security layers protect user data
- Usability: Strong security without sacrificing user experience
- Recovery: Multiple paths to recover access without compromising security
- Multi-Device: Seamless synchronization across authenticated devices
- Transparency: Open architecture that can be independently audited
Document Scope
This whitepaper covers:
- Cryptographic algorithms and their selection rationale
- Key generation, derivation, and management
- Data encryption and decryption flows
- Threat model and security analysis
- Recovery and multi-device mechanisms
Implementation details reference the open-source codebase at /packages/crypto/.
Table of Contents
Threat Model
Adversary capabilities, security goals, and trust boundaries
Cryptographic Primitives
Symmetric encryption, asymmetric encryption, and key derivation
Key Hierarchy
Master key, private keys, chat keys, and session keys
Key Derivation
Password to KEK derivation and unlock flows
Key Sharding
3-share XOR-based key sharding system
Encryption Flows
Chat, credential, and notes encryption
Session Management
Browser sessions and XSS protection
Recovery Mechanisms
BIP39 mnemonic and account recovery
Multi-Device Support
Device registration and re-sharding
WebAuthn Integration
Passkey authentication with PRF extension
Server Architecture
Zero-knowledge design and database schema
Security Analysis
Cryptographic strength and attack resistance
Industry Comparison
Comparison with Signal, Ente, Bitwarden, and ProtonMail
Conclusion
Summary and security guarantees
References
Citations and source code references