Secure File Upload and Storage
Overview
This guide shows how to create an encrypted, immutable container that securely stores one or more files with cryptographically enforced access control.
In Locktera, one or more files are added to a container at creation time. The container is then encrypted as a single immutable cryptographic object. Once created, the container’s content cannot be modified, ensuring integrity and tamper resistance. Access controls can be updated independently without altering the container’s contents.
The encrypted container can be stored in any storage system while maintaining persistent cryptographic protection.
Encryption occurs before the container is stored, ensuring storage providers never receive unencrypted content.
What You Will Build
In this guide, you will:
-
Create an encrypted, immutable container that stores one or more files
-
Encrypt the container into a protected
.teraobject at creation time -
Store the encrypted container in your preferred storage system
-
Retrieve the container as an authorized user or system
-
Modify access permissions without altering the container contents
Key Concepts
Container
A container is the fundamental secure object in Locktera.
A container:
-
Holds one or more files
-
Is encrypted as a single object
-
Is immutable after creation
-
Enforces cryptographic access control
-
Generates audit records on access
The encrypted container is represented as a .tera object.
Immutability
Container contents cannot be:
-
Modified
-
Appended
-
Replaced
-
Deleted
This ensures cryptographic integrity and prevents tampering. Immutability ensures container contents cannot be altered after creation, providing strong guarantees of integrity, tamper resistance, and audit reliability.
Access permissions, however, can be granted or revoked at any time without modifying the container itself.
Architecture Flow
Client Application
│
│ Create container with files
▼
Encrypted Container (.tera)
│
│ Store anywhere
▼
Cloud Storage / On-Prem / Archive / Backup
Encryption occurs during container creation. Storage systems never receive unencrypted content.
Prerequisites
-
HTTP client (such as curl, a Locktera SDK, or equivalent)
Base URL:
https://share.locktera.com/api/v1
Authentication header:
Authorization: Bearer YOUR_API_KEY
Step 1 — Create an Encrypted Container with Files
Files are provided at container creation. The container is encrypted and finalized as an immutable object.
Request
curl -X POST $BASE_URL/users/YOUR_USER_ID/containers/encode \
-H "Authorization: Bearer YOUR_API_KEY" \
-F "manifest.json=@manifest.json;type=application/json" \
-F "name=Employee Records Container" \
-F "file=@employee_record.pdf;type=application/pdf" \
-F "file=@tax_document.pdf;type=application/pdf"
Response
{
"org_id": "your_user_id",
"container": {
"uuid": "123e4567-e89b-12d3-a456-426614174000",
"name": "Employee Records Container",
"created_at": "2026-02-20T18:35:17Z"
},
"files":{
"name": "employee_record.pdf",
"name": "tax_document.pdf"
}
}
The container is now:
-
Fully encrypted
-
Immutable
-
Protected by cryptographic access control
No further files can be added to this container.
Step 2 — Store the Encrypted Container
The encrypted container can be stored in any storage infrastructure.
Supported environments include:
-
Amazon S3
-
Azure Blob Storage
-
Google Cloud Storage
-
On-prem object storage
-
Backup systems
-
Archive systems
Storage providers cannot decrypt or modify the container.
Step 3 — Decode the Container Content
Authorized users or systems may decrypt the container content.
Request
curl -X GET $BASE_URL/users/YOUR_USER_ID/containers/CONTAINER_ID/decode/employee_record.pdf \
-H "Authorization: Bearer YOUR_API_KEY"
If authorized:
-
Authorized clients may securely decrypt the container using Locktera-enforced access control.
-
Access is logged
-
Audit record is generated
If unauthorized:
-
Access is denied
-
Content remains encrypted
Step 4 — Modify Access Controls (Optional)
Access permissions can be granted, modified, or revoked without altering container contents. Access control is enforced independently of container immutability.
Access policies can be updated using the DRM endpoint:
PATCH /users/{user_id}/containers/{container_id}/drm
This allows:
-
Granting access to authorized users, systems, or applications
-
Revoking access at any time, including after the container has been shared
-
Enforcing time-bound access windows with automatic expiration
-
Restricting access by IP address or geographic location
-
Limiting concurrent sessions or access frequency
-
Granting or restricting download permissions
-
Enforcing password-protected access
-
Restricting access to read-only mode
Container contents remain immutable. Updating access policies does not modify, re-encrypt, or alter the container itself.
Security Properties
This workflow ensures:
-
Encryption occurs at container creation
-
Container contents are immutable
-
Storage systems cannot access plaintext
-
Access control is cryptographically enforced
-
Access permissions can be modified independently
-
All access events are audit logged
Common Integration Patterns
This pattern is commonly used for:
-
Secure document storage
-
Healthcare record storage
-
Legal evidence storage
-
Secure backups and archives
-
AI dataset protection
Error Handling
401 Unauthorized
Invalid or missing API key.
403 Forbidden
Access denied due to insufficient permissions.
404 Not Found
Container does not exist.
Summary
Locktera containers are encrypted immutable objects that securely store one or more files. Once created, container contents cannot be modified, ensuring integrity and tamper resistance. Access controls can be updated independently, allowing secure storage, sharing, and enforcement regardless of where the container is stored.
