Skip to main content
Enterprise security layer

Keep your systems.
Add the seal.

You already spent years and budgets on the systems you run. The Zeromatics SDK adds a zero-knowledge encryption layer between your application and your database — without replacing anything.

Request the architecture discussion How the encryption works

An engineering engagement — white paper, integration services and embedded delivery. Not a self-serve sign-up.

Where it sits

A layer between app and database.

Your application writes data through the SDK. It encrypts on the client, and only ciphertext reaches the database — including the systems you already have.

// Before: plaintext on the server
db.save(record.name) # "John Doe"
db.save(record.national_id) # "35201-1234567-9"
db.save(record.salary) # "450000"
// After: with the Zeromatics SDK
db.save(zk.encrypt(record.name)) # "0x7a3f...b291"
db.save(zk.encrypt(record.national_id)) # "0xe1c9...4f82"
db.save(zk.encrypt(record.salary)) # "0x5d8a...c7e0"
// Search without decryption
db.where(name_sig == zk.hmac("john doe"))
// Returns encrypted rows, decrypted client-side

No system replacement

Governments and enterprises spent millions on the systems they run. The SDK makes them sealed without ripping anything out.

Browser and native

WebAssembly in the browser. Native libraries on the server and the desktop. The same encryption protocol everywhere.

Searchable encryption

HMAC-SHA512/256 signatures let you query encrypted data. The database matches signatures and never sees plaintext.

FIPS compliance mode

Switch crypto backends with a config flag. Standard mode (X25519 / XChaCha20) or FIPS mode (P-384 / AES-256-GCM). Same API.

What you embed

The security layer, in parts.

Client encryption

Field-level encrypt and decrypt with XChaCha20-Poly1305. Runs entirely on the client — the server never sees plaintext.

Key management

A key hierarchy derived from credentials, scoped to the organization. Deterministic — the same password always derives the same keys.

PKI & certificates

A built-in certificate authority issues Ed25519-signed user certificates, with hash-chained event logs for full auditability.

Secure key wrapping

X25519 sealed boxes distribute keys per user. Grant or revoke access instantly, without re-encrypting any data.

Cryptographic stack

Audited primitives. No surprises.

The same primitives behind our products — built on libsodium, with a FIPS path and a post-quantum hybrid.

Symmetric encryption
XChaCha20-Poly1305
FIPS: AES-256-GCM
Key exchange
X25519 (Curve25519)
FIPS: ECDH P-384
Digital signatures
Ed25519
FIPS: ECDSA P-384
Password KDF
Argon2id (128MB / 5)
FIPS: PBKDF2-HMAC-SHA512
Search signatures
HMAC-SHA512/256
FIPS: HMAC-SHA512/256
Post-quantum (hybrid)
ML-KEM + ML-DSA
FIPS: ML-KEM + ML-DSA
How we work together

An engineering engagement.

This is not a self-serve developer tool. We engage with your architects directly.

White paper

A full account of the architecture, the threat model and the cryptographic choices — written for your security team to review.

Integration services

Our engineers work alongside yours to place the encryption layer into your existing systems, field by field.

Embedded

Ship the layer inside your own product. The seal becomes a feature you offer, backed by audited cryptography.

Let's seal your systems.

Bring your architecture. We will walk through where the layer fits, what changes and what your security team gets to review.

Request the architecture discussion Read the security architecture