Skip to main content

Record Encryption

We implement robust record encryption to ensure the highest level of data security.

Overview

Layer4's record encryption feature is designed to protect sensitive data on-chain. You can encrypt and decrypt your records from both within the web application and through the public API.

Key Features

  • Available in both web app and public API
  • Simple toggle switch in the web app
  • Easy implementation in API with a single boolean property
  • Encryption covers both record data payload and associated files
  • Encrypted files stored securely on IPFS
  • Granular access control for decryption

How It Works

Encryption Process

  1. Web App: Users can enable encryption by toggling a switch when creating a record entry.
  2. API: Developers can encrypt records by adding an encrypt: true property to their request.
  3. File Handling: Encrypted files are stored on IPFS and can be referenced in the data payload using {{fileHash}} or {{fileUri}}.

Decryption Access

  • API: Requires an API key with the DECRYPT scope assigned.
  • Web App: Users need to be bucket admins or have specific roles ("user with decryption" or "viewer with decryption").

Technical Implementation

Layer4 uses a technique called envelope encryption:

  1. Each bucket has an associated symmetric key called a DEK (Data Encryption Key).
  2. The DEK is used to encrypt the actual data.
  3. The DEK itself is encrypted and stored within a KMS (Key Management Service).
  4. Unique 128-bit IV (Initialization Vector) and Authentication Tags are generated for each encryption operation.

Benefits of this approach:

  • Improved performance due to symmetric key usage
  • Transferability, allowing customers to receive their symmetric key if they choose to leave Layer4

Encryption Algorithm

Layer4 employs the AES-256-GCM algorithm:

  • AES (Advanced Encryption Standard) is a widely trusted symmetric encryption algorithm.
  • 256-bit key size provides robust security for sensitive information.
  • GCM (Galois/Counter Mode) offers:
    • Built-in authentication
    • Parallelization capabilities
    • High performance
    • Suitability for large files

Encrypted Record Structure

When a record is encrypted, it is stored in a deterministic format containing:

  • encryptedData
  • encryptedDek
  • iv (Initialization Vector)
  • authTag (Authentication Tag)
  • files array (optional, for uploaded files)

Each object in the files array includes:

  • encryptedDek
  • iv
  • authTag
  • hash (CID - Content Identifier)

The 128-bit authTag is used to verify the integrity of the encrypted data and ensures that it has not been tampered with.

Example of an Encrypted Record

{
  "encryptedData": "IAI2w8MDwCygGY6wYS+T7aGM1vmc37uozFZ01ne1aSZwVghZyKzq+v0xwC1LZl7eNvWZwz1RhR8I/0DlYnIUi713LkfTDOGWJ7vnOJQJ8Y02x5T7UCY/WfU/Ig==",
  "encryptedDek": "fbac198dedca67bc49ff2d3bd7f4397d80e582a9d02ceb33166fef74ad6e7070a318a06d8bfcd1a247582a3852092f1b",
  "iv": "PZt1mVK2zScVJCieP1lgIQ==",
  "authTag": "c4e+JP0nGg2eiJhBG7i7Fw==",
  "files": [
    {
      "iv": "gshGqhIEuhGjJR9wMD4xIg==",
      "authTag": "zsYLc/Mgwk3aIc9LSKo8ZQ==",
      "encryptedDek": "fbac198dedca67bc49ff2d3bd7f4397d80e582a9d02ceb33166fef74ad6e7070a318a06d8bfcd1a247582a3852092f1b",
      "hash": "bafybeiddbyj4pxhj5n4nfhcch7w4ivzcnyhncv2v5xv3q4quppswrnivvm"
    }
  ]
}

Security Importance

Layer4's record encryption system is designed with security as a top priority:

  1. Data Protection: Ensures that sensitive information remains confidential, even if unauthorized access occurs at the storage level.
  2. Granular Access Control: Limits decryption capabilities to authorized users and API keys, reducing the risk of data breaches.
  3. Strong Encryption Standards: Utilizes industry-standard encryption algorithms to protect against potential attacks.
  4. Secure File Storage: Encrypts files before storing them on IPFS, ensuring that sensitive documents remain protected.
  5. Flexible Implementation: Allows easy integration of encryption in both the web app and API, encouraging widespread use of this security feature.
  6. Compliance: Helps organizations meet various data protection regulations and standards by implementing strong encryption practices.

We are committed to protecting user data and maintaining the highest standards of security in blockchain integration platforms.