Stateless Encryption Service

Minimal, stateless HTTP encryption service.
No storage. No sessions. No private keys.

AES-GCM RSA-OAEP Stateless HTTP API

POST /api/v1/crypto/encrypt

Overview

SecureSync is a narrowly focused service that performs exactly one task: encrypt client-provided data using client-provided public keys.

The service does not persist data, does not manage keys, and does not provide decryption.

Design principles

Stateless by design
No implicit trust
No background state
Explicit cryptographic output

What SecureSync does

Accepts Base64-encoded plaintext
Accepts public encryption keys
Encrypts data with AES-128-GCM
Encrypts AES key using RSA-OAEP
Returns full cryptographic metadata

What SecureSync does NOT do

No data persistence
No private key handling
No decryption endpoints
No authentication system
No key lifecycle management

Architecture

Client
  |
  |  plaintext + public key
  v
SecureSync API
  |
  |  encrypted payload
  v
Client storage / transport

SecureSync cannot decrypt its own output and retains no state between requests.

Cryptography

AES-128-GCM (data encryption)
RSA-OAEP with SHA-256 + MGF1
96-bit IV
128-bit authentication tag

Algorithm string

RSA-OAEP-SHA256/MGF1-SHA256
+ AES-128-GCM

HTTP API

Endpoint

POST /api/v1/crypto/encrypt

Request

{
  "dataBase64": "...",
  "publicKeyBase64": "...",
  "keyFormat": "RSA_DER"
}

Response

{
  "encryptedDataBase64": "...",
  "ivBase64": "...",
  "authTagBase64": "...",
  "encryptedKeyBase64": "...",
  "algorithm": "..."
}

Security

systemd sandboxing
Localhost-only JVM
NGINX TLS termination
Filesystem isolation
File-based API keys

Threat model

SecureSync assumes a hostile network and untrusted clients. It minimizes blast radius by design.

SpiderBind.com © 2026