Secure Multi-Tenant Isolation
Overview
This guide shows how to enforce cryptographic isolation between tenants using Locktera containers. Each tenant’s data is encrypted into separate containers with independent access policies, ensuring that only authorized identities within that tenant can decrypt and access the data.
Traditional multi-tenant systems rely on application logic, database filtering, or storage permissions to isolate tenant data. These approaches cannot reliably prevent cross-tenant access if application logic, storage systems, or infrastructure are compromised.
Locktera enforces tenant isolation cryptographically. Containers can only be decrypted by identities explicitly authorized through container access policies. Unauthorized tenants, systems, or users cannot decrypt containers—even if they obtain a copy.
This ensures complete tenant isolation regardless of storage location, infrastructure, or application security.
Key Concepts
Cryptographic Tenant Isolation
Each tenant’s data is encrypted into separate containers with independent access policies.
This ensures:
-
Tenant data cannot be decrypted by unauthorized tenants
-
Cross-tenant access is cryptographically prevented
-
Tenant isolation does not rely on application logic
-
Data remains protected even if infrastructure is compromised
Access enforcement occurs at the time of container decryption.
Independent Container Access Policies
Each container maintains its own cryptographic access policy.
This ensures:
-
Only authorized tenant identities can decrypt tenant data
-
Access can be granted or revoked independently per tenant
-
Tenant access policies cannot affect other tenants
-
Tenant isolation persists regardless of storage or transfer
Container contents remain immutable.
Storage and Infrastructure Independence
Encrypted containers may be stored in shared infrastructure without compromising tenant isolation.
This ensures:
-
Secure storage in shared cloud environments
-
Safe use of shared databases or storage systems
-
Protection in multi-tenant SaaS platforms
-
Protection even if storage systems are compromised
Storage systems cannot decrypt container contents.
Common Use Cases
Cryptographic tenant isolation is commonly used for:
-
SaaS platform tenant data isolation
-
Multi-tenant AI platforms
-
Enterprise copilots serving multiple organizations
-
Developer platforms hosting customer data
-
Secure multi-tenant document storage
-
Preventing cross-tenant data access
Architecture Flow
Tenant A Application
│
│ Encrypt data into Tenant A container
▼
Encrypted Container (.tera)
│
│ Stored in shared infrastructure
▼
Shared Storage Environment
│
│ Access attempt by Tenant B
▼
Access denied cryptographically
Tenant A authorized access:
▼
Authorized Tenant A Identity
│
│ Decrypt container
▼
Tenant A data securely accessed
Prerequisites
-
Locktera API key
-
Tenant identities defined in your application
-
Separate access policies per tenant
Base URL:
https://share.locktera.com/api/v1
Authentication header:
Authorization: Bearer YOUR_API_KEY
Step 1 — Encrypt Tenant Data into a Container
Encrypt tenant data into a container.
Request:
manifest.json
{
"container": {
"downloadable": true,
"drm": {
"dynamic": true
}
}
}
curl -X POST $BASE_URL/users/USER_ID/containers/encode \
-H "Authorization: Bearer YOUR_API_KEY" \
-F "manifest.json=@manifest.json;type=application/json"
-F "name=Tenant A Data Container" \
-F "file=@tenant_a_document.pdf"
Response:
{
"org_id": "YOUR_USER_ID",
"container": {
"uuid": "123e4567-e89b-12d3-a456-426614174000",
"name": "Tenant A Data Container"
"created_at": "2026-02-21T18:35:17Z"
}
}
Tenant A data is now encrypted and protected.
Step 2 — Grant Access to Tenant A Identities Only
Grant access only to authorized Tenant A identities.
Request:
curl -X PATCH $BASE_URL/users/USER_ID/containers/CONTAINER_ID/drm \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"recipients": ["tenant-a-user@company.com"]
}'
Response:
{
"org_id": "YOUR_USER_ID",
"container": {
"uuid": "123e4567-e89b-12d3-a456-426614174000",
"recipients": ["tenant-a-user@company.com"]
}
}
Only Tenant A identities may decrypt this container.
Step 3 — Authorized Tenant Access
Authorized Tenant A identity retrieves and decrypts the container.
Request:
curl -X GET $BASE_URL/users/USER_ID/containers/CONTAINER_ID/decode \
-H "Authorization: Bearer TENANT_A_API_KEY"
Response:
{
"files": [
{ "name": "tenant_a_document.pdf" }
]
}
Access is permitted because the identity is authorized.
Step 4 — Unauthorized Tenant Access Attempt
Tenant B attempts to access Tenant A’s container.
Request:
curl -X GET $BASE_URL/users/USER_ID/containers/CONTAINER_ID/decode \
-H "Authorization: Bearer TENANT_B_API_KEY"
Response:
{
"error": "access_denied",
"message": "Decryption is not permitted for this container."
}
Access is denied cryptographically.
Tenant B cannot decrypt Tenant A’s data.
Step 5 — Audit Tenant Access
Retrieve audit records for tenant containers.
Request:
curl -X GET $BASE_URL/users/USER_ID/containers/CONTAINER_ID/events \
-H "Authorization: Bearer YOUR_API_KEY"
Audit logs provide visibility into:
-
Which tenant accessed data
-
When access occurred
-
Which identity accessed the container
-
Whether access was authorized or denied
Security Properties
This workflow ensures:
-
Complete cryptographic isolation between tenants
-
Cross-tenant access is cryptographically prevented
-
Tenant isolation does not rely on application logic
-
Unauthorized tenants cannot decrypt data
-
Containers remain immutable
-
Access policies are independently enforced
-
Storage systems cannot access plaintext data
-
All access attempts are audit logged
Comparison to Traditional Multi-Tenant Isolation
Traditional tenant isolation relies on:
-
Application-level access control
-
Database filtering
-
Storage permissions
-
Infrastructure security
These methods can fail if infrastructure, applications, or storage systems are compromised.
Locktera enforces isolation cryptographically.
Tenant data cannot be decrypted without authorization, regardless of infrastructure or storage security.
Summary
Locktera enables secure multi-tenant architectures by encrypting tenant data into containers with independent cryptographic access policies. Each tenant’s data remains cryptographically isolated, ensuring that unauthorized tenants, systems, or users cannot access protected data. This enables secure multi-tenant SaaS platforms, AI systems, and enterprise applications without relying on infrastructure-level security.
