Can’t, Not Won’t
We wanted to give a new user working AI chat the moment they install LastDB — no provider to choose, no API key to paste. The obvious way to do that is to run a server in the middle that reads your messages and forwards them to a model. We could have shipped it in a day. We threw it away, because it would have made our one promise a lie.
The promise is the whole product: your data is yours, and we never see it. A local-first database earns that by keeping everything on your machine. But the moment you want a hosted model to answer a question, something has to carry your words to Anthropic and bring the answer back. The naive version of that errand reads everything it carries. This is the story of how we built the version that can’t.
The easy answer, and why we threw it away
Key-less hosted chat is the single biggest thing that lowers the bar to getting started. Most people will never paste an API key; asking them to is where onboarding goes to die. So we hold the provider key, and the user just talks. Simple.
The simplest way to wire that up is a plain proxy: your device sends plaintext to a server we run, the server holds our Anthropic key, it calls the model, it sends the answer back. It works. It is also a machine, operated by us, that sees both who you are and every word you type — the exact thing a local-first product exists to avoid.
You don’t get to advertise “we never see your data” and then build the one box that sees all of it. So we didn’t.
“We won’t” is not “we can’t”
Our first real design fixed the worst half. Borrowing the idea behind Oblivious HTTP, we split the connection so a blind relay forwards your encrypted traffic without ever seeing the plaintext, and strips your identity before passing it on. The relay learns who; it never learns what. Genuinely better.
But be honest about what it rested on. The part that finally read your message still had to be a service we deploy — and “we promise that service is isolated and well-behaved” is an organizational guarantee, not a cryptographic one. We could, in principle, stand up that same box in a way that peeked. A privacy claim that depends on our good behavior isn’t a promise. It’s a hope. That gap — between we won’t and we can’t — is the whole reason for everything that follows.
Two parties, neither sees both
The fix is to keep the blind relay and make the part that reads your words into something we are physically unable to read. Two controls, composed. The relay knows who, not what. The thing that decrypts your message knows what, not who. No single party ever holds both halves, so no single party — us included — can join your name to your conversation.
The relay is unremarkable plumbing. The interesting half is the box on the right: a thing we operate but cannot open.
A box we run but cannot open
That box is an AWS Nitro Enclave — a slice of a server walled off by the hardware itself, below the level of any operating system we control. From the machine we operate, there is no shell into it, no debugger, no way to dump its memory, no disk to read. Its only contact with the outside world is one narrow pipe, and even the bytes going through that pipe are encrypted end to end. We run the host. We cannot look inside the room.
“Trust us, the box is sealed” would just be the old promise wearing a costume — so your device doesn’t take our word for it. Before it sends a single character, it demands a cryptographic proof, signed by AWS, that the thing on the other end is a real enclave running exactly the code we published, unmodified. This is called attestation. If the proof doesn’t match — a tampered build, a different program, anything off by a byte — your device sends nothing. The same proof gates the Anthropic key: even a maliciously modified enclave can’t obtain the credential to call the model. Wrong proof, no key, no conversation.
So the chain is: your device encrypts your message to a key that only lives inside the verified enclave, hands the sealed bytes to the blind relay, the relay strips your identity and forwards them, and the enclave — the one place that can — opens them, talks to the model, and seals the answer back the same way. At no point does any machine we operate see plaintext attached to a name.
The honest part
We’re not going to dress this up as magic. A real claim names what it still asks you to trust:
- You trust the hardware. The guarantee rests on AWS’s isolation and its attestation signing. That’s a far smaller, more auditable trust base than “trust EdgeVector” — but it isn’t zero.
- You trust that the published code is the running code. Which is why the enclave build is reproducible: anyone can rebuild it from source and confirm the fingerprint your device checks. Without that, the proof would just be us promising again.
- Anthropic still reads your words. By construction — a model has to see a question to answer it. What it never sees is who you are. The enclave is about us and the wires, never about the model.
We’d rather state that residual trust plainly than overclaim. The honesty is half the feature; the cryptography is the other half.
How it’s getting built
We don’t flip something like this on for real conversations on the strength of a design doc. It’s coming up one provable stage at a time, each on a throwaway development environment, each proving a single property before the next is allowed to start:
- The attestation handshake — your device verifies a real enclave’s proof, and rejects a tampered one.
- Key handling that lives and dies inside the enclave, where the host can never fish it out.
- A full round-trip to Anthropic and back, blind end to end.
- A reproducible build, so the fingerprint your device trusts is one a stranger can reproduce.
And the tests that matter are the negative ones: tamper with the box and the client must refuse; kill the box and chat must fail closed — never, ever quietly fall back to sending plaintext. Only once the whole chain is proven blind does it go anywhere near a real message. The cheap version was one day of work. The version we’re actually shipping is months — because “we can’t read it” is the only version of the promise that still holds when we’re the ones who built the machine.
Part of making LastDB a place your data is actually yours — built in the open, the same way we build everything else.