The architecture is intentionally simple, yet built with a Zero Trust mindset from the ground up. All data is protected with end-to-end encryption, ensuring confidentiality and integrity at every stage.

Object Store¶

AWS S3 serves as the core storage layer, taking advantage of several powerful—though often overlooked—features.
The bucket is fully private, and all access is mediated through the PigeonHole service using presigned URLs.

Pre-signed URLs¶

Pre-signed URLs allow the command-line client to securely upload and download secrets to specific object paths without exposing wider privileges. This isolates each operation to a tightly scoped, time-limited request and reduces potential disruption in the upload/download workflow.

S3 Object Metadata¶

In combination with presigned URLs, S3 object metadata is embedded into the presigned request and included in the signature. This means the metadata itself is tamper-evident. Alongside OpenPGP content protection, this ensures both the payload and its intended destination cannot be altered without detection.

Key Management Service¶

AWS Key Management Service (KMS) provides the cryptographic foundation using Customer Managed Keys (CMKs). Data keys are generated per operation, while master keys remain protected within KMS and are never exposed to any service components. KMS policies further restrict and isolate key access.