Encrypted Data Vaults for Trusted Data Access
Introduction
Data protection is an imminent challenge for modern society, as evidenced by the slew of data privacy regulations being introduced in most nations. However data privacy means much more than audits or reports to demonstrate regulatory compliance. Threats to data security are continuously evolving to meet economic and political aims, and as such, data privacy approaches must be even more rigorous to ensure success.
Secure data storage is one critical component of data privacy. While significant work is underway to develop storage technologies that both preserve personal privacy AND and are accessible for the general public to use, there is an equally crucial race among government and commercial entities to deploy storage solutions that better protect IP while enabling efficient and automated compliance.
In this post we share an emergent storage solution called “Encrypted Data Vaults” that helps meaningfully preserve data privacy and ensure trusted data access. We are proponents of doing rather than telling, so we then walk you through how to generate keys and encrypt your own data using our demo implementation. Finally, we share the next steps for interoperability and expansion of this technology.
What are Encrypted Data Vaults?
Encrypted Data Vaults (EDVs) are secure storage mechanisms that allow entities to interoperate across disparate systems and processes without IP exposure or added liability for data that is not relevant to their business or the transaction at hand.
EDVs allow users and companies to store data with their favorite cloud storage providers without fear of vendor lock-in, while also ensuring that the storage provider has no access to their data whatsoever. With an EDV, the client does their own encryption and decryption using keys associated with decentralized identifiers they manage, and as such, acts as the true controller of their data.
According to the emergent specification, EDVs are “often useful when an individual or organization wants to protect data in a way that the storage provider cannot view, analyze, aggregate, or resell the data. This approach also ensures that application data is portable and protected from storage provider data breaches.”
This idea was validated in 2018 by work Digital Bazaar pioneered when they deployed the first working implementation of an encrypted data vault [formerly referenced as a “Trade Evidence Server”] in a POC for Department of Homeland Security and Customs and Border Protection in 2018.
Transmute’s EDV implementation is heavily inspired by these concepts, and we are grateful to the Digital Bazaar team for taking on the task of early market education which has paved the way for companies like ours.
According to Manu Sporny, Founder and CEO of Digital Bazaar, “solving the problem of secure data sharing across blockchains and entities is one feat, but driving adoption of the technology requires further iteration and standardization. We are excited to see Transmute put forth a second functioning EDV implementation which will support interoperability and drive adoption.”
Interoperability is a top priority for all of Transmute’s customer work, including our recent project with the Department of Homeland Security Silicon Valley Innovation Program and the US Customs and Border Protection Office of Trade.
EDV Application: Supply Chain Data Access
Let’s make EDVs more tangible through a quick example before showing the technology in action. Our team at Transmute is currently incorporating EDVs for the creation and sharing of verifiable trade credentials between manufacturers and federal authorities inspecting imported goods. A manufacturer can have confidence that the certificate they create for a shipment of raw materials can only be decrypted by themselves or explicitly delegated parties, such as United States Customs and Border Protection. This assurance helps the manufacturer feel more confident sharing proprietary or sensitive information. Even as their shipment is transferred through a global chain-of-custody, the associated data can move with it efficiently without threat of modification or capture by competitors.
EDV in Action: Transmute Demo
We’ve put together an EDV demo to move this conversation from concept to concrete example. Take 5 minutes to follow these instructions and see for yourself. You can also watch the video below to see our CTO, Orie Steele, walk you through the demo and provide more technical details.
Step 1: Get Keys (Decentralized Identity)
In order to encrypt and decrypt data you need keys that you control. That means you need a wallet file that you can import into the system. Our EDV demo currently supports 3 DID methods: Element (did:elem), Github (did:github), and the test tool Did Key (did:key).
We recommend creating an Element DID to start:
- Go to https://element-did.com/ .
- Click “Create Wallet.”
- Create a password.
- Download the wallet file.
- Import the wallet file, and unlock it with your password.
- Click on “My DID.”
- Click “Create DID;” this may take a few minutes.
Step 2: Set up your Encrypted Data Vault
Now that you have keys, you can import them into the Transmute Demo EDV.
- Go to https://did-edv.web.app/
- Click “Create” in the upper right.
- Click “Import,” and open your downloaded wallet file.
- Unlock the wallet file (click the three dot drop down in the upper right of the component).
Step 3: Create and Update Encrypted Documents
Your EDV is now ready for creating and modifying documents signed by your keys!
- Click “Explore” to open the “Documents” section.
- Play with modifying and saving the demo document (“AuthenticateMe CREATE” — see minute 6:20 in the demo video for examples of how to modify the JSON).
- When your document is saved, you will see it under the documents tab.
- If you click on that document, update it (“AuthenticateMe UPDATE”) and save, you will see that the sequence has gone from 0 to 1, representing the update.
- Click through the configuration tab for further security detail about this EDV.
Browse our EDV Swagger API here.
Conclusion: Next Steps for EDVs
This demo illustrates the key technical components for using an EDV to encrypt and decrypt documents with keys managed by the user. This means a business or individual can have confidence that their data is under their control, and only they can see the decrypted form.
So where do we take this work? Transmute is currently implementing the next step in this process — encrypted, asynchronous sharing between multiple parties. In this scenario both parties have access to associated key material, and the shared document needs an object capability to only allow access to specific keys. A helpful interoperability feature here is the ability to connect to other EDV providers using the same DID, enabling communication and even transfer.
This combination of EDVs and decentralized identifiers ensures total user control over data access and modification. The result is a network-expanding approach to trusted data exchange across businesses — a critical advantage for the future of trade and data protection.
If your company needs a secure way to share data with disparate players in your ecosystem (e.g. vendors, customers and employees), or if your business is looking for ways to reduce risk with better data protections, we want to help! Contact the Transmute Team here.
