Owning Your Encryption Keys
The first step to data ownership is encryption. But that’s only a half-step, really. Lots of systems offer encryption. You’ll see “end-to-end encryption” advertised on the websites of most of the apps you use. In many cases, that simply means the application is using TLS encryption. In some cases, it means the application is encrypting the data with encryption keys they manage. In almost no cases does it mean that you, the user, gets to encrypt the data with keys that only you have access to.
With the January 3rd Bitcoin Proof of Keys event, it seemed like the perfect time to talk about how Graphite empowers users by giving them true ownership over their data by giving them ownership over their encryption keys. For those of you unfamiliar with this Proof of Keys movement, it’s simply a proposal that all holders of bitcoin transfer their coins out of wallets and exchanges in which they do not own their private keys. Coinbase and many of the convenient bitcoin storage solutions manage your keys for you, which, as the Proof of Keys movement suggests, means you do not actually own your bitcoin. If someone else has access to the key, they own it as much as you.
The same is true of your encryption keys. If you do not own the keys being used to encrypt your data, you do not own the data.
In Graphite, your encryption key is generated the first time you sign into the app. That key is a derivative of your Blockstack ID master private key. The awesome thing about this system is that your master private key is never exposed. If an attacker somehow managed to get your Graphite private key, they would have access to your Graphite data, but nothing else. This makes security a little more simple for users since it provides segmented, private compartments for data.
When you own your encryption keys, you can literally store your data anywhere safely. Could the storage provider shut down? Sure. That’s where data replication comes in, but replication is a protection against an inability to access your data. It’s not a protection against snooping or data breaches. Encryption protects you against those two things. So, again, if you own your encryption keys, you can store your data anywhere and that data will be safe. Dropbox can’t snoop on your data. Amazon can’t hand anything of use over to governments. Someone crawling IPFS nodes can’t stumble across your most private data.
At Graphite, we are solving for both consumer-level secure productivity as well as enterprise-level secure productivity. One of the common threads in enterprise security is the offer of encryption without the offer of users owning and maintaining their encryption keys. This is madness. If you’re an individual or a business, you should be demanding sole ownership over your encryption keys. Otherwise, it’s the same as giving someone off the street the keys to your house knowing that you will have to ask that person for access to your own home every time you come home.
If you’re participating in the Proof of Keys event, we encourage you to extend this to your encryption keys. Graphite is a good place to start. If you don’t know what the hell bitcoin is, what this whole Proof of Keys craziness is, or generally don’t know much about encryption, we still encourage you to start by demanding ownership of your encryption keys. We can help.
Because remember, the first step to true data ownership is encryption key ownership.
