Encryptor
Create a channel for a secret and upload an encryption
POST /encryptions
Description
Secrets are secured within a channel of a PAD instance. To create an encryption Channel
, you must upload an Encryption
object to the server. At any time, the decryptor can retrieve the Encryption
object using the hash of the token value, which acts as an identifier of the channel. The decryptor may choose to retrieve the Encryption
object immediately in order to independently store the encrypted values, or may only do so when a decryption is requested. In any case, no decryption can occur unless the decryptor has posted a data request and sufficient trustees and validators have responded. Read the code samples section for details and information about how to construct Encryption
objects.
To facilitate updating the Encryption
object securely in some use cases (Find-me, for example), you can send a channel key along with this request. This ensures only you who has the private key counterpart of the channel key can change the Encryption
object in this channel.
Parameters
channelKey
body
string
true
A PEM-encoded (public) verification key for the channel
Example
Responses
200 OK
The encryption has been successfully uploaded onto the server.
Example
401 Unauthorized
API key is missing or incorrect.
Example
409 Conflict
A channel with the same token already exists. The client should use another token or update the encryption on the channel.
Example
Get encryption status
GET /encryptions/{token-hash}/status
Description
This retrieves the status of an encryption
, namely whether or not the data has been requested by the decryptor. If a request has been made, then this status also gives which trustees and validators have responded to the data request. This information is retrieved and provided by the PAD server. To eliminate the need to trust the PAD service, this data should be checked for consistency with trustee attestations of the ledger state.
Parameters
Example
GET /encryptions/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/status
Responses
200 OK
Successfully retrieved the status of an Encryption
.
Schema
ok
boolean
true
none
none
encryptionStatus
object
true
none
none
» requested
boolean
true
none
none
Example
401 Unauthorized
API key is missing or incorrect.
Example
Update encryption
PUT /encryptions/{token-hash}
Description
In some use cases (e.g. Find-me), secrets may be generated as a stream of data and the decryptor can make a request for only the most recent secret. This endpoint allows the encryptor to update the Encryption
after establishing an encryption channel.
To ensure only you can use this endpoint, you must sign the Encryption
object with the channel private key.
Parameters
Example
PUT /encryptions/d033713dd14552c060c55746afdb989cfee8e624ae94a932d79fd25630f728a4
Responses
200 OK
The Encryption
is successfully updated.
Example
400 Bad Request
The request failed because tokens in path and body are inconsistent.
Example
401 Unauthorized
Api key is missing or incorrect.
Example
Schemas
TrusteeId
ID of a trustee. It contains only alphanumerical characters, underscores (_) and dashes (-). It has length inclusively between 3 and 30.
Example
Schema
string
[a-zA-Z0-9-_]{3,30}
ValidatorId
ID of a validator. It contains only alphanumerical characters, underscores (_) and dashes (-). It has length inclusively between 3 and 30.
Example
Schema
string
[a-zA-Z0-9-_]{3,30}
Encryption
An Encryption
is identified by tokenHash
and the instance in which it lives. It contains the ciphertext encrypted by both the decryptor's key and a fresh symmetric key k
. It also contains the encrypted shares of k
for the trustees and validators. For more details, read the code samples page.
Example
Schema
description
string
true
none
» [trusteeId
]
object
true
none
»» encrypted
string
true
none
» [validatorId
]
object
true
none
Sha256
A Sha256 hash value as a hexidecimal string.
Example
Schema
string
/[0-9a-fA-F]{64}/
DateTime
A timestamp in ISO 8601 format.
Example
Schema
string
-
Trustee
An object listing details of a trustee, including its ID, human-readable description/name, its role (Trustee
) and its public keys.
Example
Schema
fullName
string
true
/Trustee-[0-9a-zA-Z_]+/
none
role
enum
true
none
none
encryptionKey
string
true
none
PEM-encoded (public) encryption key of the trustee. Used by encryptors at encryption time
verificationKey
string
true
none
PEM-encoded (public) verification key of trustee
Enumerated Values
role
Trustee
Validator
An object listing details of a validator, including its ID, human-readable description/name, its role (Validator
) and its public keys.
Example
Schema
fullName
string
true
/Validator-[0-9a-zA-Z_]+/
none
`role
enum`
true
none
none
encryptionKey
string
true
none
PEM-encoded (public) encryption key of the validator. Used by encryptors at encryption time
verificationKey
string
true
none
PEM-encoded (public) verification key of validator
Enumerated Values
role
Validator
Base64
A base64-encoded binary data.
Example
Schema
string
none
Ciphertext
A piece of asymmetrically encrypted ciphertext. It is created by first generating a symmetric ephemeral key, encrypt symmetrically the message using the ephemeral key, then encrypt asymmetrically the ephemeral key by an encryption key. All binary data are encoded in base64. For details, read the code samples.
Example
Schema
PadInstanceMetadata
Information about a PAD instance. That includes the instance name, its list of trustees, the trustee threshold, the list of validators and the validator threshold.
Example
Schema
t
integer
true
none
none
tPrime
integer
true
none
none
ApiResponse
Example
Schema
ok
boolean
true
The request is successful or not
message
string
true
none
Token
A 128-bit random string kept secret between the encryptor and decryptor after encryption stage and before data request stage. It identifies a data request. Its hash value identifies an encryption
. The decryptor posts it on the ledger at data request stage.
Example
Schema
string
/[0-9a-fA-Z]{32}/
PadName
ID of a PAD instance. Its length must be inclusively between 4 and 30. It should contains only lowercase letters, digits, periods (.
) or dashes (-
). It must start with a lowercase letter.
It is seldom used as a request parameter because the API key in the request already identifies a PAD instance.
Example
Schema
string
/[a-z][a-z0-9.-]{3,29}/
Last updated