Inside Blink's encryption: AES-256-GCM, ECDH P-256, and epoch forward secrecy

We walk through our deterministic dm_v3 and group_v3 protocols, how keys are derived with HKDF-SHA256, and how seven-day key epochs provide forward secrecy.

At Blink, security isn't a setting you switch on — it's the architecture. Messages and media are encrypted on your device with AES-256-GCM, our servers store only ciphertext, and the keys never leave your control. We publish how it works because trust should be verifiable, not assumed.

We're also candid about what isn't shipped yet. Where a capability is on our roadmap — like fully end-to-end encrypted calls, camouflage apps, or Swiss data residency — we say so plainly. Private by design. Fast by default.