Quick Start

Up in three steps.

Install the MSIX package, configure a cloud provider, enroll your device. From zero to encrypted sync in under ten minutes. Prerequisites: Windows 11 22H2 or later, .NET 8 runtime.

Getting started

Installation

Install

Download the signed MSIX package and double-click to install. Windows will verify the package signature before installation. Requires Windows 11 22H2+ and the .NET 8 Desktop Runtime.

Download ntkDesktop.msix 
# Alternatively, install via winget
winget install ntkDesktop

Configure

Open ntkDesktop and add a cloud provider. Enter your bucket name, region, and credentials. The sync root will appear in Windows Explorer once the provider is validated. 

# Example: S3 provider configuration
provider:     s3
bucket:       my-encrypted-bucket
region:       us-east-1
access_key:   [stored in Windows Credential Manager]
dispersal:    3-of-5   # k-of-n IDA sharding

Enroll

Device enrollment generates a keypair on the local machine and registers the device with your policy server. After enrollment, ntkDesktop will request a DPoP-bound access token for each sync session. 

# Enrollment flow
1. Generate device keypair (stored in DPAPI-protected store)
2. Submit   CSR to enrollment endpoint
3. Receive  signed device certificate
4. Fetch    initial DPoP-bound access token
5. Ready    — sync root active in Windows Explorer

Architecture

How it works.

Four subsystems cooperate to deliver encrypted, policy-gated sync. Each is independently documented in the security reference.

Crypto

Envelope Encryption

AES-256-GCM streaming AEAD. Per-file keys derived from device master key. 4096-byte segment alignment. Keys never leave the device.

Encryption spec

Dispersal

IDA Shard Dispersal

Rabin IDA over GF(2^8). k-of-n configurable. Each shard independently authenticated. Manifest sidecar binds shard order and key material.

Dispersal spec

Policy

dABAC Evaluation

AND-of-OR attribute policy. Evaluated locally per file operation. Unknown attribute → deny. No server round-trip required.

Policy spec

Auth

Device Binding

DPoP-bound tokens tied to device keypair. Stolen tokens cannot be replayed from another device. JWKS rotation with background refresh.

Device binding spec

Troubleshooting

Common issues.

Sync root not appearing in Explorer
Verify the sync root is registered: CfGetSyncRootInfoByPath(path) — should return CF_SYNC_ROOT_INFO If unregistered: open ntkDesktop, remove provider, and re-add. Ensure the MSIX package is installed for the current user (not machine-wide).
Hydration fails with 0x8007017C
This is CF_E_PROVIDER_NOT_RUNNING — the sync provider process is not connected. 1. Confirm ntkDesktop is running in the system tray. 2. Check logs: XDrive-logcat --filter event=fetch_data 3. Look for err.code != 0 entries near the timestamp of the failure.
Enrollment fails
Verify the enrollment endpoint is reachable: curl -v https://<enrollment-host>/v1/device/enroll Check that the system clock is accurate (DPoP proofs are time-sensitive, ±5 minutes).