User Guide

Everything you need to know to get started with HybridCipher

💡 Pilot Users: Detailed setup and usage guides are provided directly to pilot program participants. If you're interested in joining the pilot, please apply here.

Quick Start Overview

  1. 1.Install HybridCipher on your device and create an account
  2. 2.Set up your vault and choose where encrypted files should be stored
  3. 3.Add files to your vault—encryption happens automatically using hybrid post-quantum cryptography
  4. 4.Access your files normally—decryption is transparent and seamless

Installation

Note: Pilot users receive direct installation instructions and setup support. This section provides a general overview.

💻Supported Platforms

HybridCipher is available for:

  • macOS - Native application with system integration
  • Windows - Signed installer for all versions
  • Linux - Packages for major distributions (apt, dnf, yay)
  • Command Line - CLI tools for server automation

Installation packages are provided to approved pilot participants.

First-Time Setup

Account Setup & Folder Enrollment

When you first launch HybridCipher, you’ll complete a short setup flow:

  • Account creation: Create your account using your email address (used for team coordination and device onboarding)
  • Authentication setup: Set a strong password for account access (uses OPAQUE for zero-knowledge-style authentication)
  • Enable two-factor authentication: Strongly recommended to avoid getting locked out during device changes or future account recovery flows
  • Recovery codes: Save your recovery codes securely—these are critical if you lose access to your authenticator or primary device
  • Enroll a folder: Choose any folder you want HybridCipher to protect. After enrollment, files inside (and newly added files) are processed automatically.

⚠️ Critical: Secure your recovery codes

HybridCipher uses zero-knowledge encryption, which means we cannot recover your account or decrypt your files if you lose your recovery codes. Store them in a password manager or write them down in a secure location and never share them with anyone, including HybridCipher.

💡 Account Security Best Practices

  • Use a long passphrase (4–6 random words) or a password manager-generated password
  • Enable two-factor authentication and keep recovery codes offline
  • Keep your devices updated and protected (operating system updates, screen lock, disk encryption)

Note: This is pre-launch documentation and will be expanded with detailed recovery and device onboarding guidance.

Basic Usage

📂 Enroll a Folder

HybridCipher protects an enrolled folder. You can enroll any folder on your device (via the desktop app or the command line interface).

  • Choose any folder: pick a location that fits your workflow
  • Enrollment brings files under protection: existing files in the folder are processed after enrollment
  • Ongoing protection: files added later are encrypted automatically

🔒 How Encryption Works

After enrollment, HybridCipher continuously protects the folder by encrypting file data and managing keys on your devices.

  • Files inside the enrolled folder are encrypted automatically (including files added later)
  • Each file uses its own randomly generated file key
  • In a team, access is governed by the group’s current epoch (and rekeying when membership changes)
  • You keep working with files normally; encryption and decryption are handled by HybridCipher

☁️ Works With Any Cloud Sync Folder

HybridCipher does not replace your cloud provider. It encrypts locally, and your existing sync tool uploads what is in the folder.

  • Enroll a folder that is inside a synced path (for example, Google Drive, Dropbox, OneDrive, Nextcloud, Syncthing)
  • Your provider stores and syncs the folder contents; HybridCipher’s goal is for those contents to be encrypted
  • You can switch providers by moving the enrolled folder into a different sync path (no format lock-in)

✅ Designed so storage providers store encrypted data; during beta, follow the recommended workflow to avoid timing races.

🔄 Use on Multiple Devices

To access the same encrypted data on another device, install HybridCipher there and connect it to the same synced folder.

  • Install HybridCipher on each device you want to use
  • Sign in (and join the same team/group if applicable)
  • Point HybridCipher to the same synced folder location
  • Files remain encrypted at rest and decrypt only on authorized devices

Team Features (Groups & Epoch Keys)

👥 Team Collaboration (Groups)

In HybridCipher, a “team” is implemented as a cryptographic group. Groups define membership, roles, and the keys used to protect shared files.

  • Create a team (group): Set up a shared encrypted workspace backed by a group key
  • Roles: Admin and Member roles for managing membership and settings
  • Invite members: Members gain access by joining the group—no manual key exchange
  • Membership changes: Removing someone updates group access and triggers rekeying options

Terminology: UI may say “Team”, while the cryptographic object is a “Group”.

🔑 Epoch Key System (Group Key Versions)

Each group maintains an epoch (a key version) that changes when membership changes.

  • Files are protected with per-file keys; access is governed by the group’s current epoch
  • When membership changes, the group advances to a new epoch
  • Removed members do not receive new epoch keys, so they cannot decrypt new content
  • To revoke access to previously shared files, a rekey operation is needed (see below)

🚫 Access Revocation & Rekeying

Removing a member stops future access immediately, and rekeying removes access to previously shared data.

  • Immediate effect: Removed members stop receiving new epoch keys
  • Rekey past files: Re-wrap or re-encrypt existing file keys under the new epoch
  • Automatic or manual: Rekeying can be triggered automatically (or run on-demand), depending on team settings
  • Performance: Typically seconds to minutes depending on file count and hardware (for example, ~10,000 files may take ~15 seconds on a modern machine)

✅ Cryptographic revocation: access is enforced by keys, not only by server-side permissions

📊 Audit Logs

Audit logs help teams review membership and key events for accountability.

  • Record membership changes and key-related events
  • Tamper-evident integrity via cryptographic commitments (for example, Merkle commitments / hash chaining)
  • Exportable logs for internal review (reporting tooling may vary by plan and maturity)

Getting Help

HybridCipher is actively evolving during the pilot phase. If you encounter issues or have questions:

📧 Contact Support

  • • Email: support@hybridcipher.com
  • • Pilot users receive prioritized support and direct access to the development team
  • • Include your operating system, HybridCipher version, and a description of the issue

📚 Additional Resources

💬 Feedback & Feature Requests

Your feedback shapes the product roadmap. Share suggestions, report bugs, or request features at support@hybridcipher.com

Security Best Practices

DO: Use a strong, unique recovery code

Your recovery code protects everything. Make it long and memorable.

DO: Enable two-factor authentication (2FA)

Add an extra layer of security to your account in Settings → Security.

DO: Regularly rekey team files

For teams, schedule automatic rekeying every 90 days for maximum security.

DON'T: Share your recovery code

Never share your recovery code. Use team features to share files securely.

DON'T: Forget to remove ex-employees

When someone leaves, remove them from teams immediately to revoke access.

Next Steps

Technical Documentation

Deep dive into the cryptography and architecture

FAQ

Answers to common questions

Security Details

Audits, certifications, and security practices