IQryptVault lets you manage yout encryption keys. Using IQryptVault you can store, share and rotate encryption keys securely. You can manage the Vault via IQryptVaultCLI application (find it inside SDK package on IQrypt website). Every operation on Vault is made from client side, so encryption/decryption process take place at the client side.

Bellow you can find information about how IQryptVault is working. First, we'll define the terms:

Terms

  • MasterKey - this is a password based key which set first time when you create the Vault.Don't lose the MasterKey since there is no way to retrieve it.
  • KeyName - is the name of an encryption key. We can uniquely identify a key by KeyName.
  • KeyValue - is a string based value from which is generated actual encryption key.
  • Username - this must be a Parse/Firebase username.
  • UserPassword - is a password of an user.

When you create the Vault, as first step you will have to set the MasterKey, after you set the MasterKey you can:

  • create/read/delete Keys
  • assign/read/revoke a key to an user.

Create Key

When you create a new Key using IQryptVaultCLI, the KeyValue is encrypted with the MasterKey(which resides in memory of IQryptVaultCLI ) and it is then stored as a new Key-record in the Vault:{KeyName,KeyDescription, KeyValue}.

Assign Key

When you assign a key to an user, the administrator must set a password, this password is then used to encrypt the KeyValue.Multiple users can share same Key and can have different passwords.

Steps:

  1. IQryptVaultCLI app gets the KeyValue and decrypt it(in memory) with the MasterKey.
  2. IQryptVaultCLI app encrypts the KeyValue (decrypted at previous step) and encrypt it with the given Password.
  3. IQryptVaultCLI app encrypts the Password with the MasterKey.
  4. IQryptVaultCLI stores the new record in Vault storage: {KeyName,Username,KeyValue ,Password}
  5. Administrator sends the password to the user(via SMS or another channel).

Use the Key in App(*)

When user logs in application, the app downloads(after authenticate) the Key assigned to him which contains the KeyName and the Encrypted KeyValue.

Then the application decrypt the KeyValue with user's password, so now on, the app store the encryption key in memory and use it for encrypting/decrypting all the data.

(*)Note: IQrypt SDKs provides the methods for getting, verifying and decrypting the Key’s from the IQryptVault. But it is NOT dependent on IQryptVault, so you can choose to put your own solution that stores the encryption keys in place. However we strongly encourage you to store encryption keys in a secure solution and do not embed keys in source code, application resources or configuration files.