Secure File Upload and Storage

Overview

This guide shows how to create an encrypted, immutable container that securely stores one or more files with cryptographically enforced access control.

In Locktera, one or more files are added to a container at creation time. The container is then encrypted as a single immutable cryptographic object. Once created, the container’s content cannot be modified, ensuring integrity and tamper resistance. Access controls can be updated independently without altering the container’s contents.

The encrypted container can be stored in any storage system while maintaining persistent cryptographic protection.

Encryption occurs before the container is stored, ensuring storage providers never receive unencrypted content.

What You Will Build

In this guide, you will:

  1. Create an encrypted, immutable container that stores one or more files

  2. Encrypt the container into a protected .tera object at creation time

  3. Store the encrypted container in your preferred storage system

  4. Retrieve the container as an authorized user or system

  5. Modify access permissions without altering the container contents

Key Concepts

Container

A container is the fundamental secure object in Locktera.

A container:

  • Holds one or more files

  • Is encrypted as a single object

  • Is immutable after creation

  • Enforces cryptographic access control

  • Generates audit records on access

The encrypted container is represented as a .tera object.

Immutability

Container contents cannot be:

  • Modified

  • Appended

  • Replaced

  • Deleted

This ensures cryptographic integrity and prevents tampering. Immutability ensures container contents cannot be altered after creation, providing strong guarantees of integrity, tamper resistance, and audit reliability.

Access permissions, however, can be granted or revoked at any time without modifying the container itself.

Architecture Flow

Client Application

    │ Create container with files

Encrypted Container (.tera)

    │ Store anywhere

Cloud Storage / On-Prem / Archive / Backup

Encryption occurs during container creation. Storage systems never receive unencrypted content.

Prerequisites

Base URL:

https://share.locktera.com/api/v1

Authentication header:

Authorization: Bearer YOUR_API_KEY

Step 1 — Create an Encrypted Container with Files

Files are provided at container creation. The container is encrypted and finalized as an immutable object.

Request

curl -X POST $BASE_URL/users/YOUR_USER_ID/containers/encode \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -F "manifest.json=@manifest.json;type=application/json" \
  -F "name=Employee Records Container" \
  -F "file=@employee_record.pdf;type=application/pdf" \
  -F "file=@tax_document.pdf;type=application/pdf"

Response

{
  "org_id": "your_user_id",
  "container": {
    "uuid": "123e4567-e89b-12d3-a456-426614174000",
    "name": "Employee Records Container",
    "created_at": "2026-02-20T18:35:17Z"
  },
  "files":{
    "name": "employee_record.pdf",
    "name": "tax_document.pdf"
  }
}

The container is now:

  • Fully encrypted

  • Immutable

  • Protected by cryptographic access control

No further files can be added to this container.

Step 2 — Store the Encrypted Container

The encrypted container can be stored in any storage infrastructure.

Supported environments include:

  • Amazon S3

  • Azure Blob Storage

  • Google Cloud Storage

  • On-prem object storage

  • Backup systems

  • Archive systems

Storage providers cannot decrypt or modify the container.

Step 3 — Decode the Container Content

Authorized users or systems may decrypt the container content.

Request

curl -X GET $BASE_URL/users/YOUR_USER_ID/containers/CONTAINER_ID/decode/employee_record.pdf \
  -H "Authorization: Bearer YOUR_API_KEY"

If authorized:

  • Authorized clients may securely decrypt the container using Locktera-enforced access control.

  • Access is logged

  • Audit record is generated

If unauthorized:

  • Access is denied

  • Content remains encrypted

Step 4 — Modify Access Controls (Optional)

Access permissions can be granted, modified, or revoked without altering container contents. Access control is enforced independently of container immutability.

Access policies can be updated using the DRM endpoint:

PATCH /users/{user_id}/containers/{container_id}/drm

This allows:

  • Granting access to authorized users, systems, or applications

  • Revoking access at any time, including after the container has been shared

  • Enforcing time-bound access windows with automatic expiration

  • Restricting access by IP address or geographic location

  • Limiting concurrent sessions or access frequency

  • Granting or restricting download permissions

  • Enforcing password-protected access

  • Restricting access to read-only mode

Container contents remain immutable. Updating access policies does not modify, re-encrypt, or alter the container itself.

Security Properties

This workflow ensures:

  • Encryption occurs at container creation

  • Container contents are immutable

  • Storage systems cannot access plaintext

  • Access control is cryptographically enforced

  • Access permissions can be modified independently

  • All access events are audit logged

Common Integration Patterns

This pattern is commonly used for:

  • Secure document storage

  • Healthcare record storage

  • Legal evidence storage

  • Secure backups and archives

  • AI dataset protection

Error Handling

401 Unauthorized

Invalid or missing API key.

403 Forbidden

Access denied due to insufficient permissions.

404 Not Found

Container does not exist.

Summary

Locktera containers are encrypted immutable objects that securely store one or more files. Once created, container contents cannot be modified, ensuring integrity and tamper resistance. Access controls can be updated independently, allowing secure storage, sharing, and enforcement regardless of where the container is stored.