• Generate RSA key pairs once

• Store keys in keys/ directory

• Private key: decryption & signing

• Public key: encrypt AES key

• User selects file (PDF, DOCX, JPG, etc.)

• Generate random AES-GCM key

• Encrypt file with AES key

• Encrypt AES key with RSA public key

• Create SHA-256 hash & sign with RSA private key

• Save encrypted package in storage/ with UUID

• Select encrypted file

• Decrypt AES key with RSA private key

• Decrypt file with AES-GCM

• Verify signature with RSA public key

• Save decrypted file in storage/

• Log every operation (encrypt/decrypt)

• Details: timestamp, filename, UUID, hashes

• Signature verification result

• Keys used

• Stored in storage/audit_log.csv