In an era where data privacy is paramount, I set out to build BlindBit—an advanced Django web application that demonstrates the capabilities of Symmetric Searchable Encryption (SSE). The primary vision behind this project was to tackle an increasingly difficult challenge: how can we securely store and search our encrypted internal files and records without exposing their plaintext content to the server ecosystem?

By bridging complex cryptography concepts with a modern web framework, BlindBit allows users to upload files and securely store them without sacrificing the most crucial feature of any database: searchability.

The Core Engine: How It Works

The project operates entirely around AES-GCM for robust, authenticated encryption. When a file is uploaded, it is encrypted locally. To enable searching, BlindBit constructs searchable encrypted indexes utilizing HMAC-based tokens. When a search is initiated, the application queries these tokens without ever seeing the plaintext keywords, ensuring a zero-knowledge approach to keyword queries.

• Robust Encryption: Utilizes cryptography libraries to encode data using AES-GCM and HKDF key derivations.
• Zero-Knowledge Search: Allows secure keyword evaluation without returning comprehensible text to unauthorized observers.
• Vault Access: Implements a tightly secured 2FA-gated vault alongside optional Google OAuth for seamless identity management.
• Secure File Sharing: Extends encrypted access via wrapped per-file sharing keys.

Diving into the Tech Stack

I engineered the backend leveraging Django 5, choosing SQLite as the default database for its developmental simplicity while maintaining the ability to switch to robust SQL bases for production scale.

For identity and security tooling, I integrated comprehensive Django authentication with django-allauth for the social connectors, and pyotp to drive Time-based One-Time Password (TOTP) structures.

Architectural Decisions & Structure

BlindBit is modular by design. The drive/ app handles everything related to encrypted files, the search parameters, and sharing logics, acting as the critical intersection between normal view models and the overarching SSE Server Bridge.

The client and server cryptography boundaries are strictly segregated in the project structure (client/ helpers vs server/ runtime configurations) to enforce an air-gapped mental model during debugging and scaling.

Security First

The emphasis on security spans deeper than just the encryption layers. The application adheres to strict rotational deployment secrets, relies heavily on environment separation, and explicitly forces obfuscated variables in production configurations.