ADR-0014 — Envelope encryption at rest via KMS; defer client-side E2E

V1 Freeze (2026-06-12): Accepted. Blocker-5 follow-up: the encryption model now has an explicit schema footprint (below) so it is buildable, and V1 uses a per-tenant DEK (not per-object) for simplicity. Secrets-manager wiring (ESO) is ADR-0030 (Deferred); V1 self-host uses a keyfile/ env KMS provider.

Context

BitVault stores sensitive user data and must encrypt it in transit and at rest (NFR-6). The tempting “go big” option is client-side end-to-end (zero-knowledge) encryption — but it breaks server-side search, previews, and dedup, carries a large crypto/key-recovery UX burden, and is a stated non-goal for v1 (NG3). We also need to manage provider credentials and signing keys without leaking them (R11).

Decision

Consequences

Positive

Negative / costs

Alternatives considered