Drop Zone Overview

Drop Zone is the encrypted cloud storage system built into HomeDock OS. It is designed with per-user encryption and authenticated cryptography, ensuring each user can only decrypt their own files, and that files are tightly bound to their rightful owner.

Since version 1.0.18.108, Drop Zone uses AES-256 in GCM mode (authenticated encryption) and PBKDF2-HMAC-SHA256 with 1.2 million iterations, unique salts, and associated data. Files encrypted with the old CBC-based system are automatically migrated to the new format when accessed.

In short, Drop Zone is now 10–50× more secure and faster

How Easy Is It to Use?

Drop Zone is effortless to use. Just drag, drop, and relax, your files are encrypted and stored securely. No complex setup. HomeDock OS handles everything behind the scenes.

Example:

Original Content (My_Super_Secret_Story.txt):

He opened his eyes, remembered to breathe, and forgot forever.

Encrypted Content:

����b�Y7�=��'\�o�!��l�H�Q��HvSH#�=PN`i���G�\�*&����33Y��  �.��!��3��6�˝/z�aw��

Benefits of Using Drop Zone

Authenticated Encryption: Now uses AES-256-GCM (instead of CBC), which ensures both confidentiality and integrity. Tampering with encrypted files results in immediate decryption failure.
Per-User Derived Keys: Each user has a unique random key and key derivation using PBKDF2 with 32-byte salt entry with username binding in homedock_dropzone.conf. Keys are derived using PBKDF2-HMAC-SHA256 with 1.2 million iterations, ensuring files cannot be decrypted even if users swap their keys.
Associated Data Binding: The username is embedded into the AES-GCM encryption as associated data. This is separate from its use in the salt and ensures that even if the key is correct, decryption fails if the user doesn’t match.
Legacy Compatibility: Files encrypted with the legacy AES-CBC system are automatically detected and migrated to the new GCM format on access, with no user intervention required.
Performance via Caching: Derived keys are cached in-memory per user, avoiding expensive re-derivation on every upload or download. This makes the system faster despite strong cryptographic parameters.
Secure-by-Default Behavior: Files are always stored encrypted at rest and decrypted only in memory, and all encryption/decryption is tied to the authenticated user.

Security Summary

Feature	Legacy (`dz_key`)	Current (`dzkey_v2`)
Algorithm	AES-256-CBC	AES-256-GCM
Iterations	100K	1.2M
Authenticated Encryption	❌	✅
Unique Salt per User	✅	✅ (32 bytes)
Associated Data Binding	❌	✅ (username)
Per-User Key Derivation	✅	✅
Key Derivation Input	`username`	`username + salt`
In-Memory Key Caching	❌	✅
Decryption Tied to Username	⚠️ (indirect)	✅ (strict binding)

Summary:

_{dzkey_v2 dramatically strengthens security with authenticated encryption, personalized salt + key derivation, and seamless legacy migration. All while improving performance and backward compatibility.}

How It Works?

Current (`dzkey_v2`)

Since version 1.0.18.108, Drop Zone uses:

AES-256-GCM (Authenticated Encryption)
PBKDF2-HMAC-SHA256 (1,200,000 iterations)
Salt: Random 32-byte value per user, stored in homedock_dropzone.conf
Associated Data: Username (lowercased) included as an integrity check
Key Caching: Derived keys are cached in memory for performance

# Derive the final encryption key
kdf = PBKDF2HMAC(
    algorithm=hashes.SHA256(),
    length=32,
    salt=username.lower().encode() + salt,
    iterations=1_200_000,
    backend=default_backend(),
)
derived_key = kdf.derive(base_key)

# Encrypt with AES-GCM and associated data
aesgcm = AESGCM(derived_key)
nonce = os.urandom(12)
associated_data = username.lower().encode()
encrypted_data = aesgcm.encrypt(nonce, plaintext, associated_data)

The result is: nonce + encrypted_data. The authentication tag is embedded automatically.

This ensures:

Even if someone copies another user’s config, decryption will fail.
The file is cryptographically bound to the original user via both salt and associated_data.

Legacy / Deprecated (`dz_key`)

The legacy system used:

AES-256-CBC
Key derived from a global base key + username
No integrity/authentication (plaintext could be tampered with)
Migration path: All files using this format are detected and re-encrypted into dzkey_v2 on first access.

# Legacy derivation
kdf = PBKDF2HMAC(
    algorithm=hashes.SHA256(),
    length=32,
    salt=username.encode("utf-8"),
    iterations=100000,
    backend=default_backend(),
)
key = kdf.derive(base_key)

# Legacy encryption
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())

Example Config (`homedock_dropzone.conf`)

dzkey_v2:user:qWERTYsaltBASE64==:zxcvbkeybase64==
dzkey_v2:alice:Dk382Slkcs82Lwl2pQ==:zme827xD72Lsla92V==

Only the base and salt are stored. The final encryption key is derived at runtime.

Conclusion

Drop Zone now offers security guarantees comparable to enterprise-grade encrypted storage systems. All encryption is:

End-to-end: Files are never stored in plaintext.
Per-user: Nobody can access your data but you.
Fast: Thanks to in-memory caching, even with strong encryption.

For more technical details or updates, check the latest code on GitHub.