Skip to main content

How does non-custodial encryption work?

Keep your data secure with mintBlue's encryption technology. Your data is encrypted using your own keys before it leaves your device or server, giving you complete control and access to your data.

This page covers topics like:

  • How does key encryption work?
  • What is an access token?
  • How does key decryption work?

Key Encryption​

When you sign up with mintBlue, your device generates a secure keypair known as your master key. To ensure maximum security, your master key never leaves your device unencrypted. For added protection, a key encryption key is generated using PBKDF2 when you set your password, and your password is always hashed before being sent to the server.

During registration, your master key is encrypted with your key encryption key, using AES-GCM. This encrypted master key is sent to the mintBlue server for storage, ensuring secure multi-device access and key recovery

Access Tokens​

Access Tokens allow you to securely access your data through code. Upon creation of an Access Token, a new key encryption key is generated on the client-side and used to re-encrypt your master key. The re-encrypted key is then stored on the mintBlue server for secure access

After this process, you will be shown two keys:

  • SDK Access Token

    • This key contains the secret allowing the SDK to decrypt the encrypted master key for local usage
    • The secret part of the key will be hashed before being sent to the server

  • API Access Token

    • This key contains the hashed secret and cannot be used to decrypt the encrypted master key
    • Is used only to authenticate API calls

Key Decryption​

When you login or use the SDK to connect to the mintBlue service, our servers will give you back your encrypted master key. Your password or SDK key will then be used to generate your *key encryption key. *Your key encryption key is then used to decrypt your encrypted master key.

Privacy​

  • Since only you know your password or SDK key, only you can generate your key encryption key
  • Since only you can generate your key encryption key, only you can access your master key
  • Since only you can access your master key, only you can decrypt your encrypted data
  • Since only you can access your master key, only you can validly sign your data

SDK​

Encryption​

The SDK can be used to Create an encrypted data transaction, simply by setting the encrypt property to true. This will result in the SDK using your *master key *to encrypt your data or files using ECDH-ES+A128GCM. Only the encrypted data will be sent to the server. Your data is yours, mintBlue cannot access your encrypted data!

Digital Signatures​

The SDK can be used to Create a signed data transaction, simply by setting the sign property to true. This will sign your data using your master key with ES256K. The signature will be attached to the transaction.

Schematic overview