Aegis-Lock: Zero-Trust Encryption

Benchmark
Aegis Dashboard
Aegis Playground
Aegis Decryption
Aegis Proof

Inspiration

Today's threats require more than simple "encryption-at-rest" provided by your cloud provider of choice. What happens when a hacker breaks into the database or a malicious insider dumps a table? The plaintext is exposed.

Our realization was that if we truly want a zero-trust security posture, we needed client-side, field-level encryption—the kind that encrypts the data before leaving the application server or browser. Current libraries such as crypto-js were bloated, sluggish, and lacked modern enterprise functionalities. Our inspiration for Aegis-Lock was creating an elegant, zero-dependency, mathematically-backed cryptographic engine so developer-friendly, that you have no excuse not to use it!

What it does

Aegis-Lock is a database-agnostic npm package which provides advanced AES-256-GCM field-level encryption. It runs seamlessly between your application and your database, locking sensitive fields before they are saved.

Contextual Binding (Additional Associated Data): Contextual binding is the process of cryptographically linking ciphertext to the database row's Primary Key. For instance, if a hacker takes the encrypted "Admin" role of User A and pastes it into User B's record, decryption will fail.
Blind Indexing: This method involves using deterministic HMAC-SHA256 hashing to allow the application to execute exact match database queries based on the plaintext value, without ever revealing the plaintext itself.
Key Rotation: We utilize an adapter for a dynamic KeyRing, where developers can easily switch to a new master key at any moment. New rows will lock with the new key, yet legacy rows will decrypt without breaking anything.

How we built it

We developed Aegis-Lock completely with TypeScript and a zero-dependency approach. Unlike other cryptographic libraries which rely heavily on third-party packages, we took advantage of Node.js's native, asynchronous WebCrypto API, operating nearly instantaneously on the underlying C++ level.

Our Object-Oriented Adapter Pattern made our encryption engine database-agnostic, allowing us to write native adapters for Supabase and MongoDB. However, the AegisClient is constructed to allow developers to plug in any database via a simple interface. Finally, we used Jest to conduct strict TDD, validating key rotation and tampering protection works, before we pushed our npm release live!

Challenges we ran into

Creating a true cryptographic library came with its challenges:

ESM Paradox: Much of our weekend went into battling the intricacies of Node.js and TypeScript module resolution systems. We spent a lot of time understanding how ES Modules work compared to CommonJS and navigating through their file extension requirements.
Buffer Management: Given that AES-GCM and HMAC rely on memory array precision, we had to carefully convert from and back to Uint8Array, ensuring our blind index signature would be memory aligned and 100% deterministic.
Key Rotation Architecture: Creating a payload structure (version:iv:ciphertext), allowing a singular decryption function to access an array of historical keys without compromising speed was a huge architectural challenge.

Accomplishments that we're proud of

We are incredibly proud of ripping out all external dependencies. Having a library operate on top of Node.js's native WebCrypto API means a literally 0ms latency tax.

Our biggest accomplishment however, was developing Contextual Binding and Blind Indexing functions from scratch. These are two advanced mechanisms used by enterprise KMS providers, and successfully implementing them into a weekend hackathon project (and having a passing Jest test suite and npm v2.1.0 package in the process) is no small feat for our team.

What we learned

We learned about modern cryptographic primitives in great detail. For example, we discovered that since AES-GCM produces a random Initialization Vector every time, it becomes essentially impossible to search unless a second Blind Index was used. Additionally, we became experts in structuring, documenting, and releasing an enterprise-grade npm package using barrel files and module exports, with proper .gitignore safety.

What's next for Aegis-Lock: Zero-Trust Encryption

While the foundation is in place, there is still a lot left to build:

First, we need to create an Envelope Encryption (KEK/DEK architecture) scheme which gives every database row its very own unique Data Encryption Key.
Second, we must develop a native PostgreSQL (Prisma/Drizzle) adapter to support an even wider range of databases.
Finally, building a standalone Next.js frontend to manage KeyRings and audit logs securely.

Built With

Submitted to

Frostbyte Hackathon

Created by

Drove the UI/UX design for the interactive playground, translating complex encryption mechanics into an intuitive, visual experience. Also co-produced and finalized the pitch video to effectively showcase our technical upgrades to the judges.

Trisha Bej
Hritesh Saha
Harshh Gupta
Cherry Ghosh

Updates

Hritesh Saha started this project — Apr 05, 2026 05:38 AM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.