Company keys are generated once and stored in keys/.

Private key stays hidden; public key is used for encryption.

Customer selects any file type (.txt, .pdf, .jpg, .docx, etc.) and uploads.

File is encrypted using AES-GCM, AES key wrapped with RSA public key.

Signature created using company private key.

Encrypted file saved in storage/ with UUID filename.

Company selects encrypted file, private key (for decryption), and public key (for signature verification).

File decrypted; original extension restored.

Decrypted file saved in storage/.

Audit log updated with timestamp, hashes, signature status, and keys used.

storage/audit_log.csv tracks every operation, providing a demo-level realistic audit trail.