Drop Zone Overview

Drop Zone is the encrypted cloud storage system built into HomeDock OS. It is designed with per-user encryption and authenticated cryptography, ensuring each user can only decrypt their own files, and that files are tightly bound to their rightful owner.

Since version 1.0.18.108, Drop Zone has used AES-256 in GCM mode (authenticated encryption) for confidentiality and integrity, combined with unique salts, per-user keys, and associated data. Files encrypted with the old CBC-based system are automatically migrated to the new format when accessed.

Version 2.0.3.106 introduced a complete redesign with folder support, allowing you to organize encrypted files in custom folder structures with hierarchical navigation.

Version 2.1.x upgrades the key-derivation function from PBKDF2 to HKDF-SHA256 (dzkey_v3), with a purpose-scoped context string (dropzone/file-encryption/v3/{username}) to prevent key collisions across derivations sharing the same base secret. Because the base key is already a cryptographically strong 32-byte os.urandom secret, PBKDF2’s slow-by-design iterations added no security value over HKDF, which is the correct KDF for high-entropy inputs. Derivation becomes effectively instantaneous, eliminating the need for derived-key caching, TTL timers, and threading workarounds. Files encrypted with dzkey_v2 (PBKDF2/GCM) or legacy dzkey_v1 (PBKDF2/CBC) are transparently migrated to dzkey_v3 on first access.

Drop Zone also now performs atomic file writes: encrypted files are written to a .tmp file and atomically replaced via os.replace(), preventing data loss if the process crashes mid-write.

In short, Drop Zone is now more secure, faster, and more organized than ever.

How Easy Is It to Use?

Drop Zone is effortless to use. Just drag, drop, and relax, your files are encrypted and stored securely. No complex setup. HomeDock OS handles everything behind the scenes.

Folder Organization (Version 2.0.3.106)

The Drop Zone redesign introduced comprehensive folder support:

Folder Features

Hierarchical Structure

Create custom folder structures to organize your encrypted files
Nested folder support with unlimited depth
Breadcrumb navigation for easy path tracking
Folder-aware file operations

Drag-and-Drop Upload

Upload entire folders maintaining directory hierarchy
Fullscreen drag-and-drop overlay with visual feedback
Automatic filtering of hidden files (.*) during folder uploads
Files automatically placed in target folders

Folder Management

Create new folders with validation and permission checks
Rename and organize folders
Delete folders with recursive removal of contents
Recursive size calculation showing accurate folder sizes

View Modes

Grid View: Desktop-like layout with positioned icons
List View: Grouped folder sections for easy browsing
Persistent view mode preference saved in localStorage
Smooth transitions between view modes

Hierarchical Navigation

Browse through folders seamlessly
Breadcrumb path navigation showing current location
Quick navigation to parent folders
Folder expansion and collapse

Global Search

Folder-aware search with recursive folder scanning
Results grouped by parent directories
Shows full path context for files
Filters hidden files automatically

Context Menu

Right-click actions for files and folders
Folder-specific operations (open, delete, properties)
File operations (download, delete, info)
Touch-friendly long-press support on mobile

File Display

Enhanced Metadata

Folder sizes calculated recursively
Relative timestamps (“5m ago”, “1h ago”, “Now”)
“NEW” indicators for recent uploads (within last hour)
Compact size badges
Visual file type indicators with dynamic icons

Multi-Selection

Select multiple files/folders for batch operations
Ctrl+Click for individual selection
Drag-to-select area selection
Batch download and delete support

Smart Sorting

Sort by name, size, or date
Ascending/descending toggle
Sort order preserved across view changes
Folders typically displayed before files

Example:

Original Content (My_Super_Secret_Story.txt):

He opened his eyes, remembered to breathe, and forgot forever.

Encrypted Content:

����b�Y7�=��'\�o�!��l�H�Q��HvSH#�=PN`i���G�\�*&����33Y��  �.��!��3��6�˝/z�aw��

Benefits of Using Drop Zone

Authenticated Encryption: Uses AES-256-GCM (instead of CBC), which ensures both confidentiality and integrity. Tampering with encrypted files results in immediate decryption failure.
Per-User Derived Keys: Each user has a unique 32-byte os.urandom base key plus a 32-byte HKDF salt, stored in homedock_dropzone.conf. Per-file keys are derived on demand via HKDF-SHA256 with a purpose-scoped info context (dropzone/file-encryption/v3/{username}), ensuring files cannot be decrypted even if users swap their configs.
Associated Data Binding: The username is embedded into the AES-GCM encryption as associated data. This is separate from its use in the salt and info fields and ensures that even if the key is correct, decryption fails if the user doesn’t match.
Legacy Compatibility: Files encrypted with dzkey_v2 (PBKDF2/GCM) or legacy dzkey_v1 (AES-CBC) are automatically detected and rewritten as dzkey_v3 on access, with no user intervention required.
Instant Key Derivation: HKDF is effectively free on high-entropy inputs, so there is no need for an in-memory derived-key cache, TTL timers, or thread-safety workarounds. Derivation happens fresh on every read and write.
Atomic Writes: Encrypted files are written to a .tmp file and atomically replaced via os.replace(), so a crash mid-write never corrupts an existing encrypted file.
Secure-by-Default Behavior: Files are always stored encrypted at rest and decrypted only in memory, and all encryption/decryption is tied to the authenticated user.
Folder Encryption: Folder paths are also encrypted, maintaining security across entire directory structures (version 2.0.3.106+).

Advanced Features (Version 2.0.3.106+)

Touch Optimization

Long-press detection for mobile context menus
Touch-friendly selection mechanisms
Mobile-optimized context menus for tablets and phones
Responsive touch interactions

Download Progress

Visual progress bars overlaid on files during downloads
Real-time transfer status display
Percentage indicators for large file downloads

Empty State Handling

Contextual messages when no files exist
Helpful user guidance for first-time users
Search-specific empty states

Grid View Positioning

Automatic layout calculation
Optimal icon placement
Responsive grid adjustments for different screen sizes

Error Handling

Detailed error messages for failed operations
Security violation detection
User-friendly feedback for all operations

Status Bubble System

Uses Vue Teleport for proper notification rendering
Renders outside component hierarchy
Fixes z-index stacking issues
Better visual feedback for operations

Path Security

Path validation preventing directory traversal attacks
Symlink detection for security
Safe path validation on all file operations
Protection against malicious path manipulation

Security Summary

Feature	Legacy (`dz_key` / `v1`)	Previous (`dzkey_v2`)	Current (`dzkey_v3`)
Algorithm	AES-256-CBC	AES-256-GCM	AES-256-GCM
Key Derivation	PBKDF2 (100K iter.)	PBKDF2 (1.2M iter.)	HKDF-SHA256
Authenticated Encryption	❌	✅	✅
Unique Salt per User	✅	✅ (32 bytes)	✅ (32 bytes, HKDF salt)
Associated Data Binding	❌	✅ (username)	✅ (username)
Purpose-Scoped Context	❌	❌	✅ (`dropzone/file-encryption/v3/`)
Per-User Key Derivation	✅	✅	✅
Key Derivation Input	`username`	`username + salt`	`base_key` + `salt` + `info`
In-Memory Key Caching	❌	✅ (required)	❌ (not needed, HKDF is instant)
Atomic File Writes	❌	❌	✅ (`.tmp` + `os.replace()`)
Decryption Tied to Username	⚠️ (indirect)	✅ (strict binding)	✅ (strict binding)

Summary:

_{dzkey_v3 switches from PBKDF2 to HKDF, the correct KDF for high-entropy inputs, producing effectively instantaneous key derivation without sacrificing security. A purpose-scoped info context prevents key collisions, and atomic writes guarantee encrypted files are never left in a half-written state.}

How It Works?

Current (`dzkey_v3`)

Drop Zone uses:

AES-256-GCM (Authenticated Encryption)
HKDF-SHA256 for key derivation from the per-user base key
Base key: Cryptographically strong 32-byte os.urandom secret, stored per user in homedock_dropzone.conf
Salt: Random 32-byte value per user, used as HKDF salt
Info / Context: dropzone/file-encryption/v3/{username}, a purpose-scoped string preventing key collisions if the same base secret is ever reused for another derivation
Associated Data: Username (lowercased) bound into the AES-GCM ciphertext as an integrity check
No key caching needed: HKDF is effectively instantaneous on high-entropy inputs, so derived keys are recomputed on demand instead of cached with TTLs

# Derive the per-file encryption key with HKDF
hkdf = HKDF(
    algorithm=hashes.SHA256(),
    length=32,
    salt=salt,
    info=b"dropzone/file-encryption/v3/" + username.lower().encode("utf-8"),
)
derived_key = hkdf.derive(base_key)

# Encrypt with AES-GCM and associated data
aesgcm = AESGCM(derived_key)
nonce = os.urandom(12)
associated_data = username.lower().encode("utf-8")
encrypted_data = aesgcm.encrypt(nonce, plaintext, associated_data)

The result stored on disk is nonce + encrypted_data. The authentication tag is embedded automatically by AES-GCM.

This ensures:

Even if someone copies another user’s config, decryption will fail.
The file is cryptographically bound to the original user via both the HKDF salt, the info context, and the GCM associated_data.
Key derivation is stateless, there is no in-memory cache or TTL to manage, and no threading concerns.

Atomic writes

temp_path = encrypted_file_path + ".tmp"
with open(temp_path, "wb") as f:
    f.write(encrypted_content)
os.replace(temp_path, encrypted_file_path)

If the process crashes mid-write, the original encrypted file remains intact, no half-written ciphertext is ever exposed to the decrypt path.

Previous (`dzkey_v2`)

Prior to v3, Drop Zone used PBKDF2-HMAC-SHA256 with 1.2 million iterations to derive the per-file key:

kdf = PBKDF2HMAC(
    algorithm=hashes.SHA256(),
    length=32,
    salt=username.lower().encode() + salt,
    iterations=1_200_000,
    backend=default_backend(),
)
derived_key = kdf.derive(base_key)

This worked, but the iteration count was a holdover from password-based KDFs. Because the base_key is already a high-entropy random secret (not a human password), the iterations added no meaningful resistance to brute force, they only made derivation slow enough that an in-memory cache was required to keep performance acceptable. HKDF removes that complexity entirely.

Files written with dzkey_v2 are still readable and are transparently re-encrypted as dzkey_v3 on first access.

Legacy / Deprecated (`dz_key` / `v1`)

The legacy system used:

AES-256-CBC (no authentication)
Key derived from a global base key + username via PBKDF2 (100,000 iterations)
No integrity/authentication (plaintext could be tampered with)
Migration path: files using this format are detected and re-encrypted into dzkey_v3 on first access.

kdf = PBKDF2HMAC(
    algorithm=hashes.SHA256(),
    length=32,
    salt=username.encode("utf-8"),
    iterations=100000,
    backend=default_backend(),
)
key = kdf.derive(base_key)

cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())

Example Config (`homedock_dropzone.conf`)

dzkey_v3:user:qWERTYsaltBASE64==:zxcvbkeybase64==
dzkey_v3:alice:Dk382Slkcs82Lwl2pQ==:zme827xD72Lsla92V==

Only the base key and salt are stored per user. The final encryption key is derived at runtime via HKDF. Older dzkey_v2 and dz_key entries may coexist in the same file during migration and are consumed by the v2/v1 decrypt paths on the way to being rewritten as dzkey_v3.

Conclusion

Drop Zone now offers security guarantees comparable to enterprise-grade encrypted storage systems. All encryption is:

End-to-end: Files are never stored in plaintext.
Per-user: Nobody can access your data but you.
Fast: Thanks to in-memory caching, even with strong encryption.

For more technical details or updates, check the latest code on GitHub.