Proton LLM: Lumo security model (proton.me)

Proton announced Lumo, a privacy-first AI assistant that combines practical encryption techniques to protect conversations without the severe latency of fully homomorphic encryption. Rather than attempting impractically slow client-side model computation, Lumo secures the channel between the user and the LLM (called user-to-Lumo or U2L) using a static PGP public key for the LLM, a per-request AES symmetric key, and AEAD-authenticated Request IDs. The flow: the client encrypts the message with AES, encrypts that AES key with the LLM’s PGP key, sends the bundle over TLS to Proton, and internal systems forward opaque payloads until the LLM decrypts the AES key, processes the cleartext request (streaming tokens), encrypts the streamed response with the same AES key, and then forgets the request—so intermediaries can’t read payloads and only the LLM processes the cleartext during generation. For long-term storage, Lumo uses Proton’s zero-access model: conversation content is encrypted with Conversation Keys, those keys are wrapped by a symmetric Master Key, and the Master Key is encrypted with the user’s PGP keypair unlocked by their password. Browser cache uses the same scheme. The result is a pragmatic privacy trade-off—strong mitigation against server-side access and leaks and robust client-side, at-rest protection—while acknowledging the LLM must see plaintext to respond, avoiding the current impracticality of homomorphic approaches.