Encryption

When you use Omnodex’s cloud features (Hosted tier and above), your data is protected by zero-knowledge end-to-end encryption. This means the Omnodex service never has access to your unencrypted data.

How It Works

You set a passphrase (this never leaves your machine)
The passphrase is used to derive an encryption key locally using Argon2id (a memory-hard key derivation function)
Events are encrypted with AES-256-GCM before leaving your machine
Only ciphertext is transmitted and stored in the cloud
When you access the dashboard, ciphertext is downloaded and decrypted locally in your browser

At no point does the Omnodex service hold your key or see your plaintext data.

Key Derivation

Omnodex uses Argon2id for key derivation - the current best-practice algorithm for password-based key derivation. It is:

Memory-hard (resistant to GPU and ASIC attacks)
Tuned for security while remaining fast enough for interactive use

The derived key is used for AES-256-GCM authenticated encryption.

What This Means in Practice

If you lose your passphrase, your cloud data is unrecoverable. We cannot reset it, decrypt it, or help you access it. This is by design.
We cannot comply with data requests for your content because we do not have the ability to decrypt it.
A breach of our cloud infrastructure would expose only ciphertext - encrypted blobs that are computationally infeasible to decrypt without your passphrase.

Encryption Scope

Data	Encrypted?
Event payloads (tool calls, parameters, results)	Yes
Session metadata	Yes
Detection findings	Yes
Account email / billing info	No (needed for service operation)
Usage metrics (event counts)	No (needed for billing)

Browser Dashboard

The hosted dashboard decrypts data in your browser. The decryption key is derived from your passphrase in the browser and is never sent to the server. The server delivers ciphertext; your browser decrypts and renders it.

Next Steps

Data Handling - Storage and retention policies
Security Model - Overall security architecture