# VaultX-Kernel: Cryptographic Workflow Walkthrough

VaultX-Kernel is a low-level Linux cryptographic utility written in **C** using **OpenSSL EVP APIs**.
This notebook explains the internal cryptographic flow used for secure file encryption
and decryption, focusing on **correctness**, **security primitives**, and **execution order**.

## Cryptographic Design

VaultX-Kernel uses the following primitives:

- **Key Derivation:** PBKDF2-HMAC-SHA256
- **Encryption Algorithm:** AES-256-GCM
- **Randomness Source:** OpenSSL `RAND_bytes`
- **Authentication:** GCM Authentication Tag

The design ensures:
- Password-based encryption
- Confidentiality
- Integrity
- Tamper detection

## Encryption Flow

1. Read plaintext file into memory
2. Generate random salt (16 bytes)
3. Derive 256-bit key using PBKDF2
4. Generate random nonce (12 bytes)
5. Encrypt data using AES-256-GCM
6. Extract authentication tag
7. Write output as:

```
[ salt | nonce | ciphertext | tag ]
```

## Decryption Flow

1. Read encrypted file
2. Extract salt, nonce, ciphertext, and tag
3. Re-derive encryption key using same password and salt
4. Verify authentication tag
5. Decrypt ciphertext
6. Write plaintext output

## Security Considerations

- Incorrect password causes authentication failure
- Modified ciphertext or authentication tag causes decryption failure
- AES-GCM provides authenticated encryption
- PBKDF2 mitigates brute-force and dictionary attacks

This workflow demonstrates **correct, secure, and industry-standard system-level cryptography**.