00 Cryptography

End-to-End Encryption

Zero-knowledge by design. Server stores ciphertext only.

End-to-end encryption (E2EE) means your data is encrypted on your device and only decrypted on the device of the person you are communicating with. The UltimaOS server only ever sees ciphertext and public keys — it cannot read your messages, files, or calendar.

01 Overview

Section overview

What end-to-end encryption actually means.

01

Keys live on your device

Your private keys are generated on your device and never leave it. The server never sees your private key, cannot decrypt your data, and cannot be compelled to produce plaintext.

02

Server stores ciphertext only

All chat messages, files, calendar events, and AI conversations are stored on the server as opaque encrypted blobs. Backups are encrypted. Operational logs never contain plaintext.

03

Compromise is bounded

If the UltimaOS server is compromised tomorrow, the attacker gains access to ciphertext blobs and metadata (who talks to whom, when). They do not gain access to message contents.

02 Details

Section details

How UltimaOS implements E2EE.

Every conversation, file, and calendar event on UltimaOS is encrypted with a symmetric session key derived from an ML-KEM-768 key encapsulation. The result is a zero-knowledge architecture where the server is a dumb pipe for encrypted data.

01

Per-conversation session keys

Each conversation generates a fresh symmetric key. A compromise of one session key reveals only that conversation — never other conversations or the user's other data.

02

Per-file encryption

Files are encrypted with their own random symmetric key, then that file key is encapsulated to each recipient with their ML-KEM-768 public key. Revoking a recipient is a re-encryption, not a deletion.

03

Group rekeying on membership change

When a member joins or leaves a group, the group symmetric key is rotated and re-encapsulated to the new membership. Old members lose access; new members gain it without breaking the rest.

04

Recovery without breaking E2EE

UltimaOS uses a 3-of-5 social recovery scheme: a member's encrypted history can be reconstructed with the cooperation of three trusted contacts. Recovery does not weaken the cryptography — it uses secret sharing over the user's encrypted keys.

03 Key points

Key takeaways

What this means in practice.

  1. 01

    No admin override

    Workspace admins cannot read encrypted content. They can remove members, change roles, and access workspace-level metadata — but they cannot decrypt messages or files.

  2. 02

    Subpoena resistance

    A subpoena or court order can compel UltimaOS to hand over encrypted blobs. The encrypted blobs are useless without the user's private key, which UltimaOS does not possess.

  3. 03

    Client-side integrity

    Because the server cannot see content, it cannot moderate content. UltimaOS relies on user-driven abuse reports and proactive workspace admin moderation rather than server-side content scanning.

  4. 04

    Open-source clients

    The UltimaOS clients are open source. Independent researchers can audit the E2EE implementation end-to-end, from key generation through encrypted transport through local storage.

04b References

Authoritative sources

Standards and references.

05 Frequently asked

Common questions

Questions about end-to-end encryption.

What is end-to-end encryption?
Short answer

End-to-end encryption (E2EE) is a cryptographic architecture where data is encrypted on the sender's device and only decrypted on the recipient's device. The service provider in the middle stores ciphertext only and has no key to decrypt it. (EFF Surveillance Self-Defense)

Can the UltimaOS server read my messages?
Short answer

No. The server stores ciphertext and the public keys of users. It does not have the private keys needed to decrypt content. This is verifiable in the open-source clients.

Can UltimaOS staff read my data?
Short answer

No UltimaOS staff member has the technical ability to read your encrypted data. There is no master key, no backdoor, and no override mechanism. This is verified by the open-source client code.

Does UltimaOS use zero-knowledge architecture?
Short answer

Yes. The cryptographic design is zero-knowledge with respect to the server: the server has no information about content beyond opaque ciphertext and minimal metadata needed for delivery.

Can I verify the cryptography myself?
Short answer

Yes. The UltimaOS clients are open source. The cryptographic stack is described in detail in the whitepaper. Independent audits are performed annually and the reports are published on the security page.

How does E2EE work with AI assistants?
Short answer

AI inference runs on EU infrastructure under UltimaOS control. Prompts and responses are encrypted end-to-end like any other conversation. The AI provider (OpenAI, Anthropic, self-hosted) sees the prompt in plaintext only during inference, never at rest.

What is the recovery model if I lose my device?
Short answer

UltimaOS uses a 3-of-5 social recovery scheme. The user designates five trusted contacts; any three can reconstruct the encrypted key material needed to access the user's history on a new device. No single contact can decrypt alone.