Skip to main content
The creation of keys, encryption of documents and their decryption keys is done entirely on the client side. The dapp uses different kinds of keys (link to source code):
  • Documents: Symmetric AES-GCM secret key: used to encrypt and decrypt a document. This secret key is stored encrypted for one or several users in the user canister.
  • Users:
    • RSA-OAEP public key: used to encrypt the symmetric AES secret key of a document the user should have access to. The public key for each registered user is stored in the Orchestrator. RSA-OAEP private key: used to decrypt the symmetric AES secret key of a document stored in the user canister. Once the frontend decrypts the secret key, it can use this key for decrypting the corresponding document stored in the backend. The private key never leaves the client-side and is not stored anywhere else.
For each user and for each document separate keys are being used.
cryptography keys
In order for Alice to share Document 2 with Bob (who needs to have an II to support this functionality), the secret key of Document 2 needs to be encrypted for Bob’s public key.
cryptography keys sharing
This key is then added to the User Canister.
cryptography keys sharing in user canister
Bob’s frontend can now download the document together with the document key encrypted for Bob and decrypt it locally.
cryptography keys sharing in user canister