Secure Multi-Tenant Isolation

Overview

This guide shows how to enforce cryptographic isolation between tenants using Locktera containers. Each tenant’s data is encrypted into separate containers with independent access policies, ensuring that only authorized identities within that tenant can decrypt and access the data.

Traditional multi-tenant systems rely on application logic, database filtering, or storage permissions to isolate tenant data. These approaches cannot reliably prevent cross-tenant access if application logic, storage systems, or infrastructure are compromised.

Locktera enforces tenant isolation cryptographically. Containers can only be decrypted by identities explicitly authorized through container access policies. Unauthorized tenants, systems, or users cannot decrypt containers—even if they obtain a copy.

This ensures complete tenant isolation regardless of storage location, infrastructure, or application security.

Key Concepts

Cryptographic Tenant Isolation

Each tenant’s data is encrypted into separate containers with independent access policies.

This ensures:

  • Tenant data cannot be decrypted by unauthorized tenants

  • Cross-tenant access is cryptographically prevented

  • Tenant isolation does not rely on application logic

  • Data remains protected even if infrastructure is compromised

Access enforcement occurs at the time of container decryption.

Independent Container Access Policies

Each container maintains its own cryptographic access policy.

This ensures:

  • Only authorized tenant identities can decrypt tenant data

  • Access can be granted or revoked independently per tenant

  • Tenant access policies cannot affect other tenants

  • Tenant isolation persists regardless of storage or transfer

Container contents remain immutable.

Storage and Infrastructure Independence

Encrypted containers may be stored in shared infrastructure without compromising tenant isolation.

This ensures:

  • Secure storage in shared cloud environments

  • Safe use of shared databases or storage systems

  • Protection in multi-tenant SaaS platforms

  • Protection even if storage systems are compromised

Storage systems cannot decrypt container contents.

Common Use Cases

Cryptographic tenant isolation is commonly used for:

  • SaaS platform tenant data isolation

  • Multi-tenant AI platforms

  • Enterprise copilots serving multiple organizations

  • Developer platforms hosting customer data

  • Secure multi-tenant document storage

  • Preventing cross-tenant data access

Architecture Flow

Tenant A Application

     │ Encrypt data into Tenant A container

Encrypted Container (.tera)

     │ Stored in shared infrastructure

Shared Storage Environment

     │ Access attempt by Tenant B

Access denied cryptographically

Tenant A authorized access:

Authorized Tenant A Identity

     │ Decrypt container

Tenant A data securely accessed

Prerequisites

  • Locktera API key

  • Tenant identities defined in your application

  • Separate access policies per tenant

Base URL:

https://share.locktera.com/api/v1

Authentication header:

Authorization: Bearer YOUR_API_KEY

Step 1 — Encrypt Tenant Data into a Container

Encrypt tenant data into a container.

Request:

manifest.json

{
  "container": {
    "downloadable": true,
    "drm": {
      "dynamic": true
    }
  }
}

curl -X POST $BASE_URL/users/USER_ID/containers/encode \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -F "manifest.json=@manifest.json;type=application/json"
  -F "name=Tenant A Data Container" \
  -F "file=@tenant_a_document.pdf"

Response:

{
  "org_id": "YOUR_USER_ID",
  "container": {
    "uuid": "123e4567-e89b-12d3-a456-426614174000",
    "name": "Tenant A Data Container"
    "created_at": "2026-02-21T18:35:17Z"
  }
}

Tenant A data is now encrypted and protected.

Step 2 — Grant Access to Tenant A Identities Only

Grant access only to authorized Tenant A identities.

Request:

curl -X PATCH $BASE_URL/users/USER_ID/containers/CONTAINER_ID/drm \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
       "recipients": ["tenant-a-user@company.com"]
      }'

Response:

{
  "org_id": "YOUR_USER_ID",
  "container": {
    "uuid": "123e4567-e89b-12d3-a456-426614174000",
    "recipients": ["tenant-a-user@company.com"]
  }
}

Only Tenant A identities may decrypt this container.

Step 3 — Authorized Tenant Access

Authorized Tenant A identity retrieves and decrypts the container.

Request:

curl -X GET $BASE_URL/users/USER_ID/containers/CONTAINER_ID/decode \
  -H "Authorization: Bearer TENANT_A_API_KEY"

Response:

{
  "files": [
    { "name": "tenant_a_document.pdf" }
  ]
}

Access is permitted because the identity is authorized.

Step 4 — Unauthorized Tenant Access Attempt

Tenant B attempts to access Tenant A’s container.

Request:

curl -X GET $BASE_URL/users/USER_ID/containers/CONTAINER_ID/decode \
  -H "Authorization: Bearer TENANT_B_API_KEY"

Response:

{
  "error": "access_denied",
  "message": "Decryption is not permitted for this container."
}

Access is denied cryptographically.

Tenant B cannot decrypt Tenant A’s data.

Step 5 — Audit Tenant Access

Retrieve audit records for tenant containers.

Request:

curl -X GET $BASE_URL/users/USER_ID/containers/CONTAINER_ID/events \
  -H "Authorization: Bearer YOUR_API_KEY"

Audit logs provide visibility into:

  • Which tenant accessed data

  • When access occurred

  • Which identity accessed the container

  • Whether access was authorized or denied

Security Properties

This workflow ensures:

  • Complete cryptographic isolation between tenants

  • Cross-tenant access is cryptographically prevented

  • Tenant isolation does not rely on application logic

  • Unauthorized tenants cannot decrypt data

  • Containers remain immutable

  • Access policies are independently enforced

  • Storage systems cannot access plaintext data

  • All access attempts are audit logged

Comparison to Traditional Multi-Tenant Isolation

Traditional tenant isolation relies on:

  • Application-level access control

  • Database filtering

  • Storage permissions

  • Infrastructure security

These methods can fail if infrastructure, applications, or storage systems are compromised.

Locktera enforces isolation cryptographically.

Tenant data cannot be decrypted without authorization, regardless of infrastructure or storage security.

Summary

Locktera enables secure multi-tenant architectures by encrypting tenant data into containers with independent cryptographic access policies. Each tenant’s data remains cryptographically isolated, ensuring that unauthorized tenants, systems, or users cannot access protected data. This enables secure multi-tenant SaaS platforms, AI systems, and enterprise applications without relying on infrastructure-level security.