Identity and Key Management

Overview

This guide describes how Locktera manages identities and encryption keys to enforce cryptographic access control for containers.

Locktera separates identity, authorization, and encryption into independent cryptographic layers. Containers remain encrypted at all times, and decryption is permitted only when an authorized identity successfully requests access.

Keys are never shared directly between users. Instead, Locktera securely manages encryption and key authorization so that access can be granted, revoked, or restricted without re-encrypting container contents.

This ensures encryption keys remain protected, access remains enforceable, and container security persists regardless of storage location, infrastructure, or system compromise.

Core Principles

Locktera key management is based on four principles:

• Identity-bound authorization
• Container-level encryption
• Independent access enforcement
• Revocable cryptographic access

These principles ensure secure and scalable key management across distributed environments.

Identity Model

Every access request is associated with a cryptographic identity.

Identities may represent:

• Users
• Applications
• Services
• Devices
• AI systems
• Deployment environments

Each identity is authenticated using:

• API keys
• Identity tokens
• Certificates
• Secure runtime identity

Access is granted to identities, not infrastructure.

Container Encryption Model

Each container is encrypted using a unique container encryption key.

This ensures:

• Containers are cryptographically isolated
• Keys are not shared between containers
• Compromise of one container does not expose others
• Encryption remains independent of storage provider

Container encryption occurs before storage or transfer.

Storage systems never receive plaintext or encryption keys.

Access Authorization Model

Access to container encryption keys is controlled through container access policies.

When an identity attempts to decrypt a container:

  1. Identity is authenticated

  2. Access policy is evaluated

  3. Decryption key is authorized or denied

  4. Decryption occurs only if authorized

If authorization fails, decryption is cryptographically denied.

Encryption keys are never exposed to unauthorized identities.

Key Lifecycle

Locktera manages encryption keys throughout their lifecycle.

Key Creation

When a container is created:

• A unique encryption key is generated
• Key is bound cryptographically to the container
• Container contents are encrypted

Example:

curl -X POST $BASE_URL/users/USER_ID/containers/encode \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -F "file=@sensitive_document.pdf"

Response:

{
  "org_id": "YOUR_USER_ID",
  "container": {
    "uuid": "123e4567-e89b-12d3-a456-426614174000"
  }
}

The encryption key is created automatically and managed securely.

Key Authorization

Access to container keys is granted by authorizing identities.

Example:

curl -X PATCH $BASE_URL/users/USER_ID/containers/CONTAINER_ID/drm \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
        "recipients": [
          "authorized.user@company.com"
        ]
      }'

This authorizes the identity to decrypt the container.

The container encryption key remains protected.

Key Usage

Authorized identities may decrypt the container.

Example:

curl -X GET $BASE_URL/users/USER_ID/containers/CONTAINER_ID/decode \
  -H "Authorization: Bearer AUTHORIZED_API_KEY"

Response:

{
  "org_id": "YOUR_USER_ID",
  "container": {
    "uuid": "123e4567-e89b-12d3-a456-426614174000",
    "files": [
      {
        "name": "sensitive_document.pdf"
      }
    ]
  }
}

The encryption key is used internally and never exposed.

Key Revocation

Access to encryption keys may be revoked instantly.

Example:

curl -X PUT $BASE_URL/users/USER_ID/containers/CONTAINER_ID/block \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"reason": "Revoked"}'

This prevents further decryption.

Previously authorized identities can no longer decrypt the container.

No re-encryption is required.

Manifest-Based Access Control

Access policies may also be defined at container creation using manifest.json.

Example:

manifest.json

{
  "container": {
    "recipients": [
      "authorized.user@company.com"
    ],
    "downloadable": true,
    "drm": {
      "dynamic": true
    }
  }
}

This binds key authorization directly to the container.

Identity Enforcement Architecture

Container decryption follows this sequence:

Identity Request

  │

  ▼

Identity Authentication

  │

  ▼

Access Policy Evaluation

  │

  ▼

Key Authorization

  │

  ▼

Container Decryption (if authorized)

Unauthorized identities cannot access keys.

Key Isolation

Locktera ensures strict key isolation.

This ensures:

• Each container uses a unique encryption key
• Keys are not reused across containers
• Keys are not shared between tenants
• Key compromise cannot propagate

Each container is cryptographically independent.

Infrastructure Independence

Key security does not depend on infrastructure security.

Keys remain protected even if:

• Storage is compromised
• Containers are copied
• Infrastructure is breached
• Systems are untrusted

Keys remain protected by cryptographic authorization.

Audit Logging of Key Access

All key usage events are audit logged.

Example:

curl -X GET $BASE_URL/users/USER_ID/containers/CONTAINER_ID/events \
  -H "Authorization: Bearer YOUR_API_KEY"

Audit logs include:

• Identity requesting access
• Timestamp
• Authorization result
• Operation performed

This enables compliance and forensic analysis.

Deployment Models

Key enforcement operates consistently across all deployment models:

• Cloud environments
• On-premise deployments
• Kubernetes clusters
• Edge systems
• Device deployments
• Hybrid infrastructure

Key security is independent of deployment environment.

Security Guarantees

Locktera key management ensures:

• Encryption keys are never exposed to unauthorized identities
• Access is enforced cryptographically
• Key authorization is identity-based
• Keys remain protected regardless of infrastructure
• Access may be revoked instantly
• Containers remain encrypted at all times
• Key usage is audit logged
• Infrastructure compromise cannot expose keys

Use Cases

This architecture is used for:

• Secure enterprise data protection
• Multi-tenant SaaS security
• Secure AI and model protection
• Secure firmware and OTA updates
• Secure backup and archive protection
• Secure data sovereignty enforcement

Summary

Locktera enforces cryptographic identity-based key management to secure encrypted containers.

Each container is encrypted with a unique key, and access is granted only to explicitly authorized identities. Keys remain protected, access is revocable instantly, and enforcement persists regardless of infrastructure, storage, or distribution.

This enables secure, scalable, and infrastructure-independent data protection across cloud, enterprise, and device environments.