I’m designing an app for confidential disclosure and I wonder am I on the right track.
The draft flow is below. Design goal is to require a piece of information (passkey or (?) entire private key) that is not stored on the server, neither vault nor database. One constraint is that the range of participants need to be expandable without decoding the note, hence encryption of the key with public keys.
My question: does that look right, what do I miss?
This n00b needs advice 
The diagram doesn’t really make sense. I think you have arrows missing, and connecting the incorrect parties. Maybe try explaining in words instead what you’re trying to do, instead.
Hi @maxb, thx for replying. OK, let me try prose then…
The whole system will be referred to as “the service”
Bob wants to use “the service” to share confidential information (the note) with Alice if she agrees. Initially both don’t have any encryption keys. Eventually Bob or Alice want to further share the note with more members.
Bob requests the creation of a public/private key pair. He supplies a passphrase, so the private key needs input to be used. The key pair, but not the passphrase is persisted by the service.
Bob creates a note and requests the note to be encrypted with a new symmetric key. He then requests that key to be encrypted with his public key and persisted, so only his private key can decrypt the symmetric key.
Bob then sends “invitations” to Alice (and potentially many others).
Alice accepts and asks the service to generate her public/private key protected with a passphrase.
On receiving the acceptance Bob requests the symmetric key to be decrypted, providing his passphrase to unlock his private key.
He then requests the symmetric key to be re-encrypted with all public key of the respondents (in our case just Alice) and himself and to be persisted. The symmetric key now can be decrypted with any of the private keys. (The mechanism is similar to email encryption).
Alice then requests from the service to decrypt the symmetric key supplying her passphrase and then to decrypt the note.
Using this flow an attacker (including a rogue admin or a subpoena) would need to guess the passphrases to retrieve the note.
What I’m struggling with is: what can and should, and what can’t or shouldn’t Vault provide in this flow
