Problem Statement

OpenViking is a multi-tenant system where all sensitive data (user API keys, file content, relational data, system account tables) is stored in plaintext in a shared AGFS instance. The core threat is that individuals with access to server-side storage can directly read any customer's plaintext data. The protection goal is to ensure that even if an attacker gains access to all files on the AGFS disk, they cannot read any customer's file content without the corresponding account's encryption key.

Proposed Solution

#379
Implement at-rest data encryption within OpenViking's multi-tenant architecture using a server-side envelope encryption architecture with a derived Root Key:

• Three-layer key hierarchy: Root Key → Account Key → File Key
• All encryption and decryption operations centralized within the VikingFS layer, ensuring AGFS and external object storage only interact with ciphertext
• Support for multiple Root Key providers (local file, HashiCorp Vault, Volcengine KMS)
• AES-256-GCM for symmetric encryption, HKDF-SHA256 for key derivation, Argon2id for API Key hashing
• Zero API intrusion - fully compatible with existing OpenViking APIs
• Backward compatibility support for reading unencrypted files

Alternatives Considered

No response

Feature Area

Core (Client/Engine)

Use Case

This encryption solution enables OpenViking to securely store multi-tenant data with proper isolation:

• All AGFS file content (L0/L1/L2, relations, users.json, accounts.json) is encrypted at rest
• Different accounts use independent encryption keys for isolation
• API Keys are securely hashed instead of stored in plaintext
• The solution is transparent to clients with no API changes required
• Supports multiple storage backends (LocalFS, S3, SeaweedFS, RustFS) without relying on their native encryption capabilities

Example API (Optional)

Additional Context

No response

Contribution

• I am willing to contribute to implementing this feature