Skip to main contentThe creation of keys, encryption of documents and their decryption keys is done entirely on the client side.
The dapp uses different kinds of keys (link to source code):
- Documents: Symmetric AES-GCM secret key: used to encrypt and decrypt a document. This secret key is stored encrypted for one or several users in the user canister.
- Users:
- RSA-OAEP public key: used to encrypt the symmetric AES secret key of a document the user should have access to. The public key for each registered user is stored in the Orchestrator.
RSA-OAEP private key: used to decrypt the symmetric AES secret key of a document stored in the user canister. Once the frontend decrypts the secret key, it can use this key for decrypting the corresponding document stored in the backend. The private key never leaves the client-side and is not stored anywhere else.
For each user and for each document separate keys are being used.
In order for Alice to share Document 2 with Bob (who needs to have an II to support this functionality), the secret key of Document 2 needs to be encrypted for Bob’s public key.
This key is then added to the User Canister.
Bob’s frontend can now download the document together with the document key encrypted for Bob and decrypt it locally.
