RFC 0006: Cloud Sync (E2E Encrypted)
Summary
Optional cloud backup and multi-device sync where the server never sees plaintext. Passport remains encrypted end-to-end; user holds keys.
Motivation
Users may want the same passport on laptop + desktop without manual export/import. Cloud sync must not violate “user owns the identity” or centralize trust.
Proposed architecture (draft)
Device A Sync server Device B
│ │ │
│ upload ciphertext envelope │ │
│─────────────────────────────────►│ │
│ (passport.json encrypted) │ store blob only │
│ │◄───────────────────────────│
│ │ download ciphertext │
│ │ │
│ master key stays local │ no master key on server │
Requirements (proposed)
- Upload/download encrypted envelope only — same format as local
passport.json - Master key never uploaded
- Conflict resolution via snapshot timestamps + user merge UI (TBD)
- Optional: sync
grants.jsonseparately (plaintext metadata) - Auth: device pairing token or Sign in flow (RFC 0005 extension)
Open questions
- Provider: self-hosted vs managed
@ai-passport-core/sync - CRDT vs last-write-wins vs manual merge
- How to bootstrap second device without key transfer
- Revocation and device list management
Non-goals (draft)
- Shared team/org passports (separate RFC)
- Server-side export or AI access
Next steps
- Discussion on GitHub
- Threat model appendix
Prototype CLI:v0.1.5 prototype — file provider (local/cloud folder)ai-passport sync push/pull
Prototype usage (v0.1.5)
ai-passport sync config --target D:\Backups\ai-passport-sync
ai-passport sync push
# on second device:
ai-passport sync config --target <same cloud folder>
ai-passport sync pull --force
Master key stays on each device; only passport.json, passport.meta.json, and optional grants.json sync.