- What encryption scheme does Evervault use?
- Do I need to manage encryption keys?
- Where do I encrypt data?
- Why is there no
decrypt()function in the Evervault SDKs?
- Why is Evervault better than encryption at rest and in transit?
- Why is Evervault better than encryption libraries like Web Crypto, Tink, etc.?
These are some questions we are frequently asked by our customers.
Below you'll find questions related to encrypting data.
What encryption scheme does Evervault use?
You can learn more about the Evervault Encryption Scheme (EES) here.
Do I need to manage encryption keys?
No. Simply include our SDKs and deploy your functions to an Evervault Cage. We handle everything else.
Where do I encrypt data?
You can encrypt data where it enters your infrastructure—either client-side or server-side.
Why is there no
decrypt() function in the Evervault SDKs?
Traditionally, encryption has only been useful if it was a reversible transformation, i.e. if the encrypted data could be reversed back to its original, unencrypted form. If encryption was not reversible, the encrypted data was considered unreadable and unusable. This is why most encryption libraries have a
decrypt() function available.
Evervault Cages make the need for a
decrypt() function redundant.
Cages are secure, serverless functions for processing encrypted data. That is, encrypted data remains readable and usable—without the need for a
decrypt() function being available.
You can deploy a Cage to return data in its unencrypted form. Cage runs are logged so that you can see who accessed plaintext data.
Why is Evervault better than encryption at rest and in transit?
Encryption in transit (using TLS) protects against man-in-the-middle attacks between the client and your server.
Encryption at rest (at the disk-level, file-system-level, and database-level) protects against someone taking the physical drive from your machine and overriding your file-system, and prevents a non-authenticated admin accessing your database.
However, neither encryption in transit or at rest protect against a malicious agent on your server because data still gets decrypted to be processed.
With Evervault, data never exists on your infrastructure in plaintext—so can never be lost or leaked.
Why is Evervault better than encryption libraries like Web Crypto, Tink, etc.?
There are two core reasons why Evervault is better than encryption libraries:
1. No plaintext data on your infrastructure
With encryption libraries like Web Crypto and Tink, you still need to decrypt sensitive data to process and get value from it. With Evervault, sensitive data is never decrypted (i.e. never exists in plaintext) on your infrastructure—so you cannot lose or leak it.
2. No need to manage encryption keys
With encryption libraries, you still need to manage encryption keys. Using Evervault means that you do not need to manage encryption keys. We take full responsibility for key management. The way we configure key management means that Evervault cannot decrypt your data—because your team’s API key is necessary for decryption.
Learn more about the Evervault Encryption Scheme.
Below you'll find questions related to storing encrypted data.
Where do I store data I encrypted with Evervault?
You store the data in your database as normal. There’s no need to change your data structure or format.
What is the structure of encrypted data?
Evervault-encrypted data is returned in a format similar to JWT structure. It comprises 3 parts: header, body, and UUID.
The header is Base 64-URL encoded, and contains metadata on the encryption (datatype, encryption scheme version, issuer).
The body contains the encrypted data, and the data required to decrypt it in a Cage (encrypted AES key, base 64 encoded keyIv, AES encrypted data):
|the ephemeral RSA-encrypted AES-256 key.|
|a randomly-generated Initialization Vector used by the AES operation.|
|the original data encrypted by the ephemeral AES-256 key.|
The body is Base64-URL encoded.
The UUID is a unique identifier for a given piece of Evervault-encrypted data.
Below you'll find questions related to processing encrypted data.
What is an Evervault Cage?
Cages are secure serverless functions for processing encrypted data. They're isolated from your stack, and hosted on Evervault. You can write and deploy any serverless function to a Cage.
What languages do Cages support?
At present, Cages can only be written in Node.js. Expanding language support is on our product roadmap, and we're actively rolling out other languages/frameworks. If there's a specific language you'd like us to support, let us know.
What are the resource limits of Cages?
Cages currently have a maximum memory consumption of 1024MB. This can be increased to 3008MB on request. They currently have 1 available CPU core and this can also be increased to 2 cores on request.
What is the maximum execution time of a Cage?
Cages currently have a maximum of 30 seconds execution time as a result of their request-response serverless architecture. Deploying Docker Containers as Cages (for long-running, stateful processes) is on our roadmap.
How scalable are Cages?
Cages will scale automatically to many thousands of requests per second without a noticeable drop in throughput or latency. We are actively improving Cage latency and scalability for more intense workloads and see this as a core priority for our product roadmap.
Is there a way to verify that Evervault does not have access to the plaintext data?
Evervault does not store encrypted data, and data only exists ephemerally on our infrastructure during a Cage run. Our product roadmap includes a remote attestation feature which will verify that code running inside a Cage matches the expected code, removing the risk of malicious code within Cages or on Evervault’s infrastructure.
Can I send requests to external APIs from a Cage?
Evervault has an API Whitelist feature which lets you create a list of external APIs that your Cage can send requests to. By default, Cages can send requests to any third-party API. By adding a domain name to the API whitelist in the Dashboard, your Cage will only have network access to the APIs you specify.
Where are my Evervault API keys?
Your API keys can be found in Settings.
What can I use Evervault for?
Some great use cases are:
- Encrypting user data
- Encrypt sensitive data including PII (like SSNs), financial data (like cardholder information), and health data. Run any function on it using a Cage.
- Securing your secrets
- Secure user credentials, API keys, and access tokens so that you don’t have to handle them in plaintext again.
- Interacting with third parties
- Evervault makes it easy to communicate with any third-party API, and to encrypt requests and responses using a Cage.
Is Evervault compliant?
We are currently in our SOC-2 Type II, HIPAA, and PCI-DSS Level 1 audit periods.
Request our reports →
What languages are Evervault's SDKs?
Does Evervault have a test/sandbox mode?
Evervault teams have an optional test mode setting. With test mode enabled, you will not be charged for any Cage runs.
In test mode, each Cage has a limit of 5 concurrent executions. If a Cage receives more than 5 concurrent runs the API will return a 429 error and the execution will be ignored.