How does Zero-Knowledge Vault Storage protect B2B guest data?
Last Updated June 8, 2026
To allow external partner services like Trip.Express to store highly sensitive credentials, passes, or tickets into the User's Vault without compromising privacy, we utilize an End-to-End Encrypted (E2EE) Hybrid Cryptography model:
1. Public Key Retrieval
Trip.Express retrieves the user's RSA Public Key associated with their device from UID.one.
2. Hybrid Encryption
A random symmetric key (AES-GCM-256) is generated on the Trip.Express server to encrypt the ticket payload. The symmetric key is then encrypted using the User's RSA-OAEP Public Key.
3. Zero-Knowledge Storage
The encrypted payload and encrypted key are stored on the UID.one coordination server. The server acts as a zero-knowledge data store, unable to read or decrypt the plaintext payload.
4. Client-Side Decryption
The user's device retrieves the payload, decrypts the AES key inside the Secure Enclave / StrongBox hardware HSM, and decrypts the ticket locally.