top of page

RED - Rhea Encrypted Data

What RED Is

​

RED is a cryptographic protection layer designed for a world where data lives everywhere and security must never depend on trust. It provides a universal, zero-knowledge environment where individuals, teams, and global enterprises can encrypt, store, share, and process information without exposing keys, identities, or plaintext data to any platform — including Rhea-RED itself.

In RED, encryption is not a feature. It is the foundation. Every file, every version, and every shared asset is encrypted before it ever leaves the device, using a key that only the user can generate. No server, provider, partner, or administrator — not even RED — can access the contents. The environment is built on the principle that the owner of the data is the only party who can ever unlock it.

RED is not cloud storage. It is a zero-knowledge encryption system that works above any cloud, any storage backend, and any infrastructure. Companies integrate RED to protect their existing systems; individuals use it to secure their digital lives; and large enterprises deploy it as an independent cryptographic layer that travels with their data everywhere.

Why RED Matters

​

Data has exploded across devices, applications, clouds, and third-party systems. Traditional security follows the data — but it never truly isolates it. Access is often mediated through passwords, identity providers, corporate admins, or backend services that have broad privileges. Even the most advanced cloud platforms cannot guarantee zero-knowledge protection, because encryption keys or metadata are often processed by the provider at some point.

RED eliminates the dependency on trust by eliminating the possibility of server-side access. Encryption, key generation, and decryption occur entirely on the user’s device through their cryptographic wallet. The server receives only encrypted data and cannot decrypt, read, analyze, or exploit it.

This design transforms security from a promise into a mathematical guarantee. Even in extreme scenarios — provider breach, infrastructure compromise, insider attack, subpoena, or misconfiguration — RED ensures that no unauthorized party can access the data, because no one other than the user holds the decryption key.

How RED Protects Data

​

Every protected file begins with the wallet. When a user connects their cryptographic wallet, a Key Encryption Key (KEK) is derived locally from a secure signature operation. This KEK never leaves the device. For each file, RED generates a unique Data Encryption Key (DEK) used to encrypt content using AES-256-GCM, the strongest widely-accepted symmetric encryption standard.

The DEK is then wrapped with the user’s KEK, resulting in a fully zero-knowledge key hierarchy:

Wallet Signature → KEK → DEK → Encrypted File

This creates three unbreakable truths:

  1. RED never sees unencrypted data.

  2. RED never sees the KEK or the unwrapped DEK.

  3. Only the user’s wallet signature can produce the KEK.

When files are uploaded, they are split into encrypted chunks to support unlimited file size. These chunks can be stored anywhere: IPFS, S3, Azure Blob, Google Cloud Storage, Oracle Cloud, or even private on-premise systems. Because RED does not depend on storage, enterprises can adopt it without migrating existing infrastructure.

Sharing and Permission Control

​

Sharing in RED is cryptographically enforced. When a user wants to grant access to another person, RED does not rely on usernames, emails, or server-side permissions. Instead, the DEK is wrapped again for the recipient’s KEK. Only that recipient’s wallet can unwrap it.

This means:

  • No one can grant access without the owner’s explicit cryptographic signature.

  • Permissions cannot be bypassed, escalated, or modified by the backend.

  • Administrators cannot impersonate users or read their data.

  • Even RED cannot decrypt or share anything on behalf of the user.

Sharing becomes mathematically restricted — not socially restricted.

Simple Mode: Personal and Small-Team Use

​

In Simple Mode, RED functions as a secure digital vault for individuals and small groups. Users upload files, organize them in folders, share with wallet addresses, and collaborate with end-to-end encrypted protection. The system behaves like a familiar cloud drive, but with zero-knowledge protection and cryptographic access control.

Simple Mode uses subscription-based storage tiers, automatically linked to usage levels. Users can scale smoothly without complexity or enterprise contracts.

Even in Simple Mode, users receive enterprise-grade security:

  • Wallet-based identity, no passwords

  • Local encryption before upload

  • Cryptographic sharing

  • Encrypted metadata

  • Unlimited file size support

  • End-to-end audit of every action

  • Multiple storage backends

It is the first consumer-friendly system where the user — not the provider — controls the encryption keys.

Enterprise Mode: Integration Into Any Organization

​

Enterprise Mode is where RED becomes a full-scale security infrastructure. Companies integrate RED without changing their systems, without replacing their cloud providers, and without centralizing data anywhere.

Enterprise Mode provides:

  • Multi-tenant organization systems

  • Role-based control for unlimited internal wallets

  • Service wallets for automation (CI/CD, AI tools, backup systems)

  • External processor mode for AI/analytics with stream-only decryption

  • Enterprise billing, usage, and contract management

  • Legal entities, SLAs, and compliance frameworks

  • Audit logs, security attestations, and regulator-view dashboards

  • Execution mode control (Web, Agent, HSM) for strict environments

Enterprises can deploy RED in three ways:

​

1. Web Mode (No Installation Required)

All cryptography remains local to the browser using WebCryptography. Ideal for distributed teams and general usage.

​

2. Agent Mode (Local Daemon)​

A native agent running on the internal network or local device performs encryption and decryption using OS-level secure enclaves. This is suitable for companies with advanced security policies or air-gapped environments.

​

3. HSM Mode (Hardware Security Modules)​

For the most regulated sectors, RED integrates directly with customer-owned HSMs such as AWS KMS or Azure Key Vault.
In this mode, RED does not even handle the KEK derivation — it is entirely processed inside certified hardware.

This makes RED compatible with banks, telecom operators, defence institutions, insurance companies, and health systems.

External Processing With Full Privacy

​

One of RED’s most significant architectural advantages is that it enables external technology providers—such as cybersecurity platforms, analytics engines, AI systems, cloud providers, and large-scale simulation environments—to operate exactly as they do today, while giving the data owner complete cryptographic control over who is allowed to view or process their information.

Vendors like Oracle, AWS, Microsoft, CrowdStrike, and Google can still scan files, run analytics pipelines, execute workloads, train models, or detect threats with full plaintext access—but only when the data owner explicitly grants them a cryptographic rank.
This rank is assigned to a wallet address controlled by the vendor. Once granted, RED wraps the appropriate decryption key for that wallet, enabling the vendor to process data exactly as before, without technical restrictions or changes to their infrastructure.

RED enforces a strict, owner-controlled permission boundary:

  • If the owner gives a rank:
    The vendor receives a wrapped DEK and gains full access to plaintext during processing.

  • If the owner removes that rank:
    The key becomes invalid immediately and all access stops.
    The vendor cannot decrypt any new data and cannot reuse old keys.

  • RED itself cannot bypass this rule:
    The platform has no ability to decrypt or grant access.
    Only the owner can authorize or revoke access.

  • No third party can escalate permissions:
    Every access path is cryptographically controlled by the owner’s wallet.

This model protects everyone involved.
The customer retains absolute digital ownership and a complete audit trail.
The external vendor maintains all operational capabilities, business models, analytics services, and performance expectations—just with cryptographic enforcement on who is allowed to access what.
And even if a vendor experiences a breach, unapproved access is impossible, because their visibility is entirely dependent on a live, owner-granted key.

RED is the first system to combine full enterprise functionality with absolute cryptographic ownership, enabling external platforms to operate at full power while ensuring that only those explicitly authorized by the data owner can ever access the data.

No Migration Required

​

A fundamental design principle of RED is that enterprises should secure their data without moving it.
RED does not replace your cloud. It protects it.

Companies can point RED at Amazon S3, Google Cloud, Azure, Oracle Cloud, internal MinIO clusters, or any S3-compatible environment. RED immediately begins wrapping all data stored there with zero-knowledge protection, without disrupting existing workflows.

This eliminates risk, reduces deployment cost, and accelerates adoption.

Automation, AI, and External Processors

​

RED enables companies to use AI and automation tools without compromising data integrity. Instead of giving external systems full access to the plaintext file, RED offers “stream-only decryption,” where an AI assistant or analytics engine receives data chunk by chunk, without ever receiving the DEK or being able to download or store the file.

This creates a controlled pipeline where:

  • AI tools can process encrypted data

  • DEKs never leave secure boundaries

  • Access is logged in immutable audit records

  • Companies retain total control over permissions

It enables AI capabilities without introducing new attack surfaces.

Enterprise Governance and Compliance

​

RED includes built-in systems required for large-scale enterprise adoption:

  • Legal entities and contract binding

  • SLAs and uptime guarantees

  • Compliance artifact tracking (SOC 2, GDPR, HIPAA, etc.)

  • Key rotation and revocation

  • Identity assertions and cryptographic proofs

  • Regulator access mode

  • Security attestations

  • Full audit logging of every action

  • Retention, legal hold, and cryptographic erasure

This governance foundation allows RED to be adopted by banks, Fortune 500 companies, governments, and global cloud providers.

Why RED Is Superior

​

RED is not competing with storage providers. It is becoming the universal security layer the world needs — a system that makes encryption platform-independent, user-controlled, and mathematically guaranteed.

It solves four problems that no traditional cloud platform can solve simultaneously:

  1. Zero-knowledge access control
    The provider cannot decrypt files.

  2. Wallet-controlled identity
    Only the user can unlock data through cryptographic signatures.

  3. Storage independence
    RED works with any cloud, any infrastructure, any region.

  4. Unlimited scaling
    Encrypted chunks enable infinite file sizes and global distribution.

RED is not a competitor to cloud platforms. It is the missing encryption layer they never built — and the one they desperately need.

Conclusion

​

RED delivers a universal, independent, zero-knowledge security layer for individuals, teams, enterprises, and global infrastructure. It transforms data protection from a service into a mathematical certainty. Whether integrated into Oracle, AWS, Google, Microsoft, CrowdStrike, or used by a single person on their laptop, RED offers the same guarantee: only the owner controls the data, and nothing leaves their device unencrypted.

This is the future of digital trust — built not on promises, but on cryptography.

RHEA_E9 uj.png

© 2025 Rhea. All rights reserved.

bottom of page