Documentation

Confidential AI

DeepJournal’s AI features are designed so that your journal remains private even while using advanced language models. Your data stays encrypted on your device, travels encrypted through all servers, and is only decrypted inside a verified secure enclave that runs the AI model.

To achieve this, DeepJournal uses Tinfoil, a system based on Trusted Execution Environments and the Encrypted HTTP Body Protocol (EHBP).

These technologies ensure that no one, including DeepJournal, cloud providers, or Tinfoil itself, can read your prompts or AI outputs.

1. What Are Secure Enclaves and TEEs

A Trusted Execution Environment is a hardware protected part of a CPU or GPU.

It acts as a separate computer inside the machine and provides:

  • Isolated memory that the operating system cannot read
  • Hardware enforced encryption of all internal data
  • Protected execution where only the code inside the enclave can access your data
  • Cryptographic attestation that proves the enclave is genuine and running approved code

This system allows sensitive computations to run privately even on untrusted servers.

2. How Tinfoil Uses Secure Enclaves For AI

Tinfoil deploys AI models inside TEEs on special GPU hardware. Inside the enclave:

  • All memory is encrypted by the hardware
  • Only the model code running inside the enclave can see your decrypted prompt
  • Tinfoil employees, cloud providers, and system administrators cannot access your data
  • The enclave provides an attestation report containing a cryptographic proof of its identity and the exact code it is running

DeepJournal verifies this attestation before sending any encrypted request.

Your device never sends data to an enclave unless it is verified as safe and unmodified.

3. How EHBP Protects Your AI Requests

The Encrypted HTTP Body Protocol encrypts request bodies and response bodies from your device to the enclave.

HTTP headers stay unencrypted so servers can route your request, but the actual content remains completely unreadable outside the enclave.

EHBP uses Hybrid Public Key Encryption, meaning that both your device and the enclave exchange public keys in order to derive shared encryption keys for the session.

Key generation and distribution

  1. The enclave creates its own public and private key pair.
  2. The enclave publishes its public key at the path "/.well-known/hpke-keys".
  3. DeepJournal verifies the attestation and retrieves the enclave public key.
  4. Your device generates its own ephemeral HPKE key pair.
  5. Using these two public keys, both sides derive a shared encryption context that only your device and the enclave know.
  6. Your device encrypts your AI prompt with this shared context.
  7. The enclave encrypts its response using the same shared context.

Private keys never leave their respective devices.

4. How EHBP Encrypts Requests

When you send an AI request:

  1. Your device fetches the enclave public key.

  2. Your device creates an ephemeral key pair.

  3. Your device derives an encryption context using HPKE.

  4. The body of your request is encrypted in chunks.

  5. The encrypted chunks are sent along with two headers:

    Ehbp-Client-Public-Key

    Ehbp-Encapsulated-Key

  6. Only the enclave can use these headers to recreate the encryption context and decrypt your request.

The proxy server that handles authentication and routing can see your HTTP headers, but cannot decrypt the request body.

5. How EHBP Encrypts Responses

When the enclave responds:

  1. The enclave reads the client public key from the request header.
  2. The enclave derives a response encryption context using HPKE.
  3. The enclave encrypts the response in chunks.
  4. The enclave returns the encrypted chunks along with the Ehbp-Encapsulated-Key header.
  5. Your device uses its own ephemeral private key to decrypt the response.

Only your device can read the AI output.

6. Why This Maintains End To End Encryption

The full flow looks like this:

Client encrypts the request using the enclave public key.

Proxy server forwards the encrypted body and cannot read it.

Enclave decrypts the body inside a hardware isolated environment.

Enclave encrypts its response.

Proxy server forwards the encrypted response and cannot read it.

Client decrypts the answer locally.

At every step outside the enclave, your data is encrypted using keys that only the enclave and your device hold.

Your journal content and AI prompts never appear in plaintext anywhere else.