Immediate Access Revocation and Incident Response

Overview

This guide shows how to respond to security incidents by immediately revoking access to encrypted containers using cryptographically enforced access control.

Traditional incident response relies on infrastructure controls such as disabling user accounts, rotating credentials, or restricting network access. These approaches cannot reliably prevent access to sensitive data if files have already been copied, downloaded, or distributed outside the organization.

Locktera enables immediate cryptographic revocation of access to containers. Once access is revoked, previously authorized users, systems, or applications can no longer decrypt the container—even if they retain a copy.

This provides a cryptographic kill-switch that prevents unauthorized access regardless of storage location, infrastructure compromise, or data distribution.

This enables rapid incident containment, forensic analysis, and secure recovery.

Key Concepts

Cryptographic Access Revocation

Access to containers is enforced cryptographically and evaluated at the time of decryption.

This ensures:

  • Revoked identities cannot decrypt containers

  • Access revocation is immediately enforced

  • Access cannot be restored without explicit authorization

  • Revocation applies regardless of storage or transfer location

Containers remain encrypted and immutable.

Full Container Revocation (Emergency Kill-Switch)

Full container revocation removes access for all external recipients.

This ensures:

  • Immediate containment of sensitive data

  • Unauthorized users and systems cannot decrypt the container

  • Access is restricted to the container owner only

This provides a cryptographic kill-switch for sensitive data.

Selective Access Revocation

Access may also be revoked for specific recipients.

This ensures:

  • Compromised identities can be removed without affecting other users

  • Access policies can be updated dynamically

  • Incident containment can be precisely controlled

Audit and Forensic Visibility

Locktera maintains cryptographic audit records for all access attempts.

This enables:

  • Incident investigation

  • Access history analysis

  • Identification of compromised identities

  • Compliance reporting and forensic review

Audit records cannot be modified or deleted.

Common Incident Response Scenarios

This workflow is commonly used for:

  • Responding to credential compromise

  • Containing data breach incidents

  • Revoking access from terminated employees

  • Revoking access from compromised systems

  • Responding to unauthorized data access

  • Emergency lockdown of sensitive data

Architecture Flow

Container Owner

    │ Detect security incident

Revoke Container Access

    │ Access policy updated cryptographically

Encrypted Container (.tera)

    │ Unauthorized access attempt

Access denied cryptographically

Previously authorized systems can no longer decrypt the container.

Prerequisites

  • Locktera API key

  • Existing container ID

  • Authorization to modify container access policies

Base URL:

https://share.locktera.com/api/v1

Authentication header:

Authorization: Bearer YOUR_API_KEY

Step 1 — Identify Container to Revoke

Identify the container requiring access revocation.

Example:

{
  "org_id": "YOUR_USER_ID",
  "container": {
    "uuid": "123e4567-e89b-12d3-a456-426614174000"
  }
}

This container contains sensitive data requiring emergency protection.

Step 2 — Execute Emergency Full Container Revocation (Kill-Switch)

Revoke access for all external recipients.

Request:

curl -X PUT $BASE_URL/users/{user_id}/containers/{container_id}/block \
  -H "Authorization: Bearer YOUR_API_KEY"
  -H "Content-Type: application/json"
  -d '{"reason": "Emergency"}'

Response:

201 Created

Access is now cryptographically revoked.

Previously authorized users and systems can no longer decrypt the container.

Step 3 — Verify Access Revocation

Attempt container access using a previously authorized identity.

Request:

curl -X GET $BASE_URL/users/USER_ID/containers/CONTAINER_ID/decode \
  -H "Authorization: Bearer PREVIOUSLY_AUTHORIZED_API_KEY"

Response:

{
  "error": "access_denied",
  "message": "Decryption is not permitted for this container."
}

Access revocation is enforced immediately.

Step 4 — Review Audit Logs for Incident Investigation

Retrieve audit records to identify prior access.

Request:

curl -X GET $BASE_URL/users/{user_id}/containers/{container_id}/events \
  -H "Authorization: Bearer YOUR_API_KEY"

Audit logs provide forensic visibility into access history.

Step 5 — Restore Access (Optional)

Access may be restored after incident resolution.

Request:

curl -X DELETE $BASE_URL/users/USER_ID/containers/CONTAINER_ID/block \
  -H "Authorization: Bearer YOUR_API_KEY"

Access is restored only for explicitly authorized identities.

Security Properties

This workflow ensures:

  • Immediate revocation of container access

  • Previously authorized users cannot decrypt containers

  • Revocation applies regardless of storage or location

  • Access enforcement is cryptographic and cannot be bypassed

  • Access revocation does not require re-encryption

  • Access policies can be updated dynamically

  • All access attempts are audit logged

  • Containers remain immutable and secure

Comparison to Traditional Incident Response

Traditional incident response relies on:

  • Credential rotation

  • Account disabling

  • Network access controls

These methods cannot prevent access to copied or downloaded files.

Locktera enforces revocation cryptographically.

Unauthorized systems cannot decrypt protected containers even if they possess copies.

Summary

Locktera enables immediate cryptographic revocation of access to sensitive containers in response to security incidents. Access revocation is enforced independently of infrastructure, storage systems, or file distribution. This provides a cryptographic kill-switch that enables rapid incident containment, secure forensic investigation, and controlled recovery, ensuring that sensitive data remains protected at all times.