SelfDataGuard v0.1.0-beta β open-source data-at-rest protection that survives DB exfiltration.
Released today as the second pillar of MySelf, paired with SelfRecover. The same May 2026 ANTS leak (~12M accounts in plaintext) made the case for both: SelfRecover protects authentication, SelfDataGuard
protects what's stored.
How it works (one line):
Per-user data master key, never stored in plain. Wrapped twice β once by Argon2id-derived key from password, once by HMAC-SHA256-derived key from a memorized secret (shared with SelfRecover via mathematical
context separation). Personal fields encrypted field-by-field with AES-256-GCM. Dump the DB β encrypted soup.
Three operational modes:
βΈ Lite (default): server unwraps the master key in memory only during user sessions.
βΈ Hybrid (e-commerce): operational fields admin-readable, sensitive fields zero-knowledge.
βΈ Full (high-assurance): true zero-knowledge, all crypto in browser via WebCrypto.
Honest threat model β explicitly out of scope: compromised user endpoint (keyloggers, info-stealers), browser exploits, theoretical cryptanalysis of SHA-256 / AES-256-GCM / Argon2id, weak-password
bruteforce. The lib enforces password policy at deployment time.
Run the demo locally in 10 seconds:
git clone https://github.com/Pierroons/my-self
cd my-self/self-security/selfdataguard/demo && ./run.sh
(needs PHP 8.1+ with sodium + AES-NI capable CPU)
π§ͺ 155 sanity tests, 0 failures. Includes a "DB dump = encrypted soup" end-to-end assertion that greps the SQLite file post-write to verify no plaintext leaks.
GPG-signed tag selfdataguard-v0.1.0-beta, release dated 2026-05-08.
Live demo (no signup, ephemeral data, public reset every night at 04:00 Europe/Paris):
https://dataguard.my-self.fr
Whitepaper EN: https://github.com/Pierroons/my-self/blob/main/self-security/selfdataguard/docs/whitepaper-en.md
Whitepaper FR: https://github.com/Pierroons/my-self/blob/main/self-security/selfdataguard/docs/whitepaper-fr.md
Repo: https://github.com/Pierroons/my-self/tree/main/self-security/selfdataguard
Release: https://github.com/Pierroons/my-self/releases/tag/selfdataguard-v0.1.0-beta
Companion to SelfRecover (https://bi-self.my-self.fr/selfrecover/). Same memorized secret unlocks both, mathematically isolated via HMAC contexts (/recover vs /dataguard). One word, two purposes.
Feedback especially welcome from people who have integrated Bitwarden / 1Password / ProtonMail-style envelope encryption in app-side multi-tenant setups. AGPL-3.0-or-later, no NDA, no commercial agenda β
community cryptographic review before v1.0.0.
#opensource #infosec #AGPL #privacy #selfhosted #cryptography #encryption #zerotrust #dataprotection
