Skip to main content

Frequently Asked Questions

General

What is the Document Vault?

The Document Vault is Hadinet Africa's end-to-end encrypted document storage system. It allows you to securely store sensitive documents (identity cards, financial records, education credentials, etc.) with AES-256-GCM encryption on IPFS, accessible only through your Web3 wallet.

Who can see my documents?

Only you. Documents are encrypted inside a Trusted Execution Environment (TEE) before being stored on IPFS. The encryption key is derived from your wallet and exists only during the encryption/decryption operation inside the TEE. Hadinet operators, IPFS nodes, and anyone else who might access the encrypted file cannot read its contents.

Is the Document Vault free to use?

There are no protocol fees charged by Hadinet for vault operations.

Encryption

What encryption does the vault use?

The vault uses AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode). This is an authenticated encryption algorithm that provides both confidentiality and integrity. Each document is encrypted with a unique key derived from your wallet secret and a per-document salt.

Where are my encryption keys stored?

Nowhere. Encryption keys are derived on demand inside the TEE from your wallet signature and a per-document salt. After each operation, the key is zeroed from memory. There is no key database, key escrow, or key backup.

What happens if I lose my wallet?

If you lose access to your wallet (private key), your documents become permanently inaccessible. There is no recovery mechanism because no backup of your encryption keys exists. This is a deliberate security design -- it prevents anyone (including Hadinet) from accessing your documents without your wallet.

Are my documents safe if the server is compromised?

Yes. Documents are encrypted inside the TEE, and plaintext never exists outside the hardware enclave. Even if the server hosting the TEE is physically compromised, the TEE's memory is hardware-encrypted and inaccessible to the host operating system or server operator.

Storage

Where are my documents stored?

Encrypted documents are stored on IPFS through Pinata's private gateway. They are not published to the public IPFS DHT, so they are not discoverable by IPFS crawlers. Document metadata (type, timestamps, CID references) is stored on the Cartesi rollup on Arbitrum.

What is IPFS?

IPFS (InterPlanetary File System) is a decentralized file storage protocol. Files are identified by their content hash (CID), not by a server location. This provides content integrity (any modification changes the CID) and decentralization (no single point of failure).

What is Pinata?

Pinata is an IPFS pinning service that ensures files remain available on IPFS. The vault uses Pinata's private gateway, which requires authentication to access files, adding a layer of access control on top of encryption. Pinata also provides CDN delivery for reliable, fast file retrieval.

Can I upload the same document twice?

Yes. Each upload generates a unique salt and IV, so the same file uploaded twice will produce different ciphertext with different encryption keys. Both copies will appear independently in your vault.

Access and Sharing

Can I share documents with others?

Yes. You can grant time-limited, revocable access to specific documents. The access grant is recorded on-chain. You can revoke access at any time.

Can an institution access my documents without my permission?

No. All document access requires your explicit consent, provided by signing a message with your wallet. There is no administrative override, backdoor, or bulk access mechanism.

What happens when access expires?

When an access grant expires, the institution can no longer retrieve the document. The on-chain record is updated to reflect the expiration.

Can I see who has accessed my documents?

Yes. The vault provides an on-chain audit log that records all access grants, revocations, and expirations. This log is visible in your vault interface.

Document Management

What is the difference between verified and self-attested documents?

  • Verified documents have been attested by an institutional verifier (e.g., a KYC provider confirmed your passport). They carry cryptographic proof of attestation on-chain.
  • Self-attested documents are uploaded by you without third-party verification. They are encrypted and stored with the same security but do not carry institutional attestation.

Can I delete a document?

Yes. Deleting a document marks it as deleted on-chain and unpins the encrypted file from IPFS. The encrypted file will be garbage-collected by IPFS over time. The on-chain metadata record (which contains no PII) remains as a historical record.

Can I access my vault from multiple devices?

Yes. Your vault is tied to your wallet, not your device. You can access your documents from any device where you can connect your wallet.

Technical

What is a TEE?

A Trusted Execution Environment (TEE) is a hardware-isolated enclave that runs code in a tamper-proof context. The TEE's memory is encrypted by the processor and inaccessible to the operating system, hypervisor, or server operator. The vault uses TEEs for all encryption and decryption operations.

What is a DID?

A DID (Decentralized Identifier) is a self-sovereign identity standard. In Hadinet, your DID (did:key) is derived from your wallet's public key. It serves as your identity in the vault system without requiring any registration or central identity provider.

What blockchain does the vault use?

Document metadata is stored on a Cartesi rollup deployed on Arbitrum. Arbitrum is an Ethereum Layer 2 that provides lower transaction costs while inheriting Ethereum's security. The Cartesi rollup enables complex computation within the rollup environment.