Your data can be encrypted with mintBlue. Meaning, your data is encrypted with your keys before they leave your device or server. Your keys are available only to you. Only you can access your data!
Read the topics below to learn how we do this.
When you sign up for mintBlue, your client generates a random keypair. We will call this keypair your master key. Your master key will never leave your device unencrypted. Once you choose your password, a key encryption key is generated using PBKDF2. Your password will always be hashed before being sent to the server.
During registration, your master key is encrypted with your key encryption key, using AES-GCM. The encrypted master key is sent to the mintBlue server for storage.
When creating an Access Token, a secret is generated on the client side. This secret is used to create a new key encryption key, which is used to re-encrypt your master key. The re-encrypted key is then sent to the server for storage.
After this process, you will be shown two keys:
- SDK token
- This key contains the secret allowing the SDK to decrypt the encrypted master key for local usage
- The secret part of the key will be hashed before being sent to the server
- API token
- This key contains the hashed secret and cannot be used to decrypt the encrypted master key
- Is used only to authenticate API calls
When you login or use the SDK to connect to the mintBlue service, our servers will give you back your encrypted master key. Your password or SDK key will then be used to generate your key encryption key. Your key encryption key is then used to decrypt your encrypted master key.
- Since only you know your password or SDK key, only you can generate your key encryption key
- Since only you can generate your key encryption key, only you can access your master key
- Since only you can access your master key, only you can decrypt your encrypted data
- Since only you can access your master key, only you can validly sign your data
The SDK can be used to , simply by setting the encrypt property to true. This will result in the SDK using your master key to encrypt your data or files using ECDH-ES+A128GCM. Only the encrypted data will be sent to the server. Your data is yours, mintBlue cannot access your encrypted data!
The SDK can be used to , simply by setting the sign property to true. This will sign your data using your master key with ES256K. The signature will be attached to the transaction.