Skip to main content
stores

Encryption

Encryption in Stores

Each file is protected by a synchronous key, which is further secured using an asynchronous pair of public and private user keys. This dual-layer encryption ensures that the system remains both safe and efficient.

Encryption Scenario

Only an end user can create a Store, by providing a set of public keys for the users who should have access to the Store.

A symmetric key for the Store (Store Encryption Key) is then generated by the Store author/owner and securely stored on the server, encrypted using public keys of users assigned to the Store. This ensures that only the authorized users have access to the Store's Encryption Key. Unencrypted keys never leave user Endpoints.

When accessing a Store, the encrypted Store Encryption Key is sent to each user based on their assignment to the Store. Only the users with proper Private Keys can decrypt Store Encryption Key. Using the decrypted key, messages are encrypted and signed with the users’ Private Keys before being sent to the Bridge.

This process is handled by PrivMX Endpoint Library and is completely seamless for Endpoint users.

Here's a visual reference for encryption in Stores:

privmx stores encryption