Encryption Scheme

How E3 works under the hood.

Encryption Keys

The current Evervault Encryption Scheme (EES) comprises two sets of keys: the Team Master Key, and a public/private asymmetric key pair.

  • Team Master Key (TMK)
  • Asymmetric Key Pair

When an Evervault Team is created, a Team Master Key (TMK) is provisioned for that team.

It is generated for AES-256 symmetric encryption, and we use Shamir’s Secret Sharing to split it into three shares with a quorum of three. Of these three shares, two are stored in Evervault’s databases encrypted using a key that is only accessible by E3’s AWS Nitro Enclave. Your API key is generated by taking the third share and offsetting it by XORing each byte of the share with randomly generated “offset bytes”, which are stored on Evervault. Evervault stores the API key encrypted in its database using AWS KMS to allow you to retrieve it using the Dashboard. Each access request is tracked and there is a full audit log of each API key decrypt operation.

Was this page useful?