The Vault Server is an abstraction over Confidential Storage vaults and WebKMS key stores.
See the OpenAPI spec.
When a user creates a vault in the Vault Server:
- a Decentralized Identifier is created for the vault
- a WebKMS key store is created with the vault's DID as its controller
- a Confidential Storage vault is created with the vault's DID as its controller
When a user stores a document in a vault in the Vault Server:
- the user provides a unique identifier for the document and its contents
- the contents are encrypted with a random encryption key
- a new key pair is created in the WebKMS key store
- the encryption key is encrypted by the WebKMS service using the new key pair
- the encrypted artifacts are assembled into an EncryptedDocument and stored in the Confidential Storage vault
When a user authorizes a third party to access a document, the Vault Server creates two authorization tokens:
- One token to use at the Confidential Storage Vault backend to retrieve the encrypted document
- One token to use at the WebKMS keystore backend to unwrap the encryption key for the document
Thank you for your interest in contributing. Please see our community contribution guidelines for more information.
Apache License, Version 2.0 (Apache-2.0). See the LICENSE file.