🔑Client-Side Encryption
Encrypt data client-side before uploading it to the decentralized cloud.
Although the gateway comes with native ChaCha20 encryption to make sure files are secured in transit and at rest, it is possible to add a second encryption layer. A second layer of client-side encryption can be achieved through two different paths:

Gateway encryption

It is possible to offload client-side encryption to the gateway by parsing the --encryption-key flag at startup with a custom encryption key. Please note that if you change the encryption key, you will have to remember which key you used with which file.
Once files are encrypted with one or more encryption keys it is the user's responsibility to maintain and securely store these keys. If the keys are lost the data cannot be decrypted.

AWS Encryption CLI

AWS offers the AWS Encryption-CLI that allows client-side encryption before it is offloaded to the S3. This does however mean that data has to be encrypted first and then sent to the gateway for upload.

AWS SDK Client Master Keys

On the application level it is possible to add client-side encryption through the AWS SDK client master keys.

Custom client-side encryption

We highly recommend doing client-side encryption with open source encryption packages of which their security and reliability can be verified and have been verified by the community. Doing your own encryption is always better than trusting a tool by someone else.
Last modified 1yr ago