Architecture

This page outlines enVector’s high-level architecture, its core components, and the data flow for encrypted indexing and search.

Components

• Application (Client + SDK):

  • Generates/holds keys; never shares secret keys with the service

  • Encrypts vectors and queries; decrypts scores and metadata

  • Manages local index config (dimension, presets, query/index encryption)

• API Gateway:

  • Public API endpoint (gRPC/HTTP), authn/authz, request validation

  • Routes calls to the appropriate plane; applies rate limits and observability

• Data Plane:

  • Runs encrypted compute (e.g., inner‑product scoring) on uploaded ciphertext

  • Batches and schedules work; streams data to/from storage as needed

  • Stateless by design; does not require or persist client secret keys

• Index Plane:

  • Owns index lifecycle: create → load → unload → drop

  • Builds and maintains encrypted index artifacts used for fast lookup

  • Persists and retrieves artifacts from storage; exposes index‑level stats/health

• Object Storage:

  • S3‑compatible storage for encrypted payloads (items, blobs, artifacts)

  • No plaintext vectors or secret keys are stored by the service

• Encrypted Index (at rest):

  • The persisted, encrypted representation of each index (separate from raw item blobs)

  • Produced and maintained by the Index Plane; read by the Data Plane for scoring

System Overview

Key points:

• The server never requires client secret keys. It only receives the keys and parameters needed for encrypted evaluation.

• Index data is stored encrypted at rest; query processing can be done with plaintext or ciphertext queries depending on privacy needs.

• All similarity computations (e.g., inner product) execute on encrypted data.

Notes:

• Index encryption is always enabled; indexes are never stored in cleartext.

• Queries may be sent in plaintext or ciphertext. Choose ciphertext for maximum privacy.