XEMS Architecture

The XyPriss Encrypted Memory Store (XEMS) is built on a "Moving Target Defense" philosophy, prioritizing isolation, automation, and cryptographic binding to secure sensitive session data.

Sidecar Process Model

XEMS operates as a standalone sidecar binary. This ensures a strict boundary between the application logic and the storage engine, protecting data from Node.js-level vulnerabilities.

Native Sidecar

XEMS Architecture

Node.js (App)Application Logic

XHSC Bridge

XEMS SidecarIsolated Go Process

Encrypted VaultAES-256-GCM Storage

Isolation

Data never touches the Node.js memory heap.

Security

Encryption is tied to physical machine HWID.

Security & Encryption

AES-256-GCM

All persistent data is encrypted with AEAD support, ensuring both confidentiality and authenticity of the stored vault.

Hardware-Bound Entropy

Encryption keys are derived using physical HWID, preventing vault decryption if files are moved to another machine.

Advanced Mechanisms

Atomic Token Rotation

Supports per-request session rotation. Upon successful retrieval, the current token is invalidated and a new one is issued, narrowing the hijacking window.

Multi-Server Singleton

If multiple server instances target the same persistence path, they automatically share a single background XEMS process to eliminate file system locks and race conditions.

Automatic Retention

XEMS is strictly for transient data. All entries are subject to a hard 5-day retention limit to ensure the engine remains lean and secure.

Configuration

Learn how to tune performance, storage, and security limits for XEMS.