Immediate Access Revocation and Incident Response
Overview
This guide shows how to respond to security incidents by immediately revoking access to encrypted containers using cryptographically enforced access control.
Traditional incident response relies on infrastructure controls such as disabling user accounts, rotating credentials, or restricting network access. These approaches cannot reliably prevent access to sensitive data if files have already been copied, downloaded, or distributed outside the organization.
Locktera enables immediate cryptographic revocation of access to containers. Once access is revoked, previously authorized users, systems, or applications can no longer decrypt the container—even if they retain a copy.
This provides a cryptographic kill-switch that prevents unauthorized access regardless of storage location, infrastructure compromise, or data distribution.
This enables rapid incident containment, forensic analysis, and secure recovery.
Key Concepts
Cryptographic Access Revocation
Access to containers is enforced cryptographically and evaluated at the time of decryption.
This ensures:
-
Revoked identities cannot decrypt containers
-
Access revocation is immediately enforced
-
Access cannot be restored without explicit authorization
-
Revocation applies regardless of storage or transfer location
Containers remain encrypted and immutable.
Full Container Revocation (Emergency Kill-Switch)
Full container revocation removes access for all external recipients.
This ensures:
-
Immediate containment of sensitive data
-
Unauthorized users and systems cannot decrypt the container
-
Access is restricted to the container owner only
This provides a cryptographic kill-switch for sensitive data.
Selective Access Revocation
Access may also be revoked for specific recipients.
This ensures:
-
Compromised identities can be removed without affecting other users
-
Access policies can be updated dynamically
-
Incident containment can be precisely controlled
Audit and Forensic Visibility
Locktera maintains cryptographic audit records for all access attempts.
This enables:
-
Incident investigation
-
Access history analysis
-
Identification of compromised identities
-
Compliance reporting and forensic review
Audit records cannot be modified or deleted.
Common Incident Response Scenarios
This workflow is commonly used for:
-
Responding to credential compromise
-
Containing data breach incidents
-
Revoking access from terminated employees
-
Revoking access from compromised systems
-
Responding to unauthorized data access
-
Emergency lockdown of sensitive data
Architecture Flow
Container Owner
│
│ Detect security incident
▼
Revoke Container Access
│
│ Access policy updated cryptographically
▼
Encrypted Container (.tera)
│
│ Unauthorized access attempt
▼
Access denied cryptographically
Previously authorized systems can no longer decrypt the container.
Prerequisites
-
Locktera API key
-
Existing container ID
-
Authorization to modify container access policies
Base URL:
https://share.locktera.com/api/v1
Authentication header:
Authorization: Bearer YOUR_API_KEY
Step 1 — Identify Container to Revoke
Identify the container requiring access revocation.
Example:
{
"org_id": "YOUR_USER_ID",
"container": {
"uuid": "123e4567-e89b-12d3-a456-426614174000"
}
}
This container contains sensitive data requiring emergency protection.
Step 2 — Execute Emergency Full Container Revocation (Kill-Switch)
Revoke access for all external recipients.
Request:
curl -X PUT $BASE_URL/users/{user_id}/containers/{container_id}/block \
-H "Authorization: Bearer YOUR_API_KEY"
-H "Content-Type: application/json"
-d '{"reason": "Emergency"}'
Response:
201 Created
Access is now cryptographically revoked.
Previously authorized users and systems can no longer decrypt the container.
Step 3 — Verify Access Revocation
Attempt container access using a previously authorized identity.
Request:
curl -X GET $BASE_URL/users/USER_ID/containers/CONTAINER_ID/decode \
-H "Authorization: Bearer PREVIOUSLY_AUTHORIZED_API_KEY"
Response:
{
"error": "access_denied",
"message": "Decryption is not permitted for this container."
}
Access revocation is enforced immediately.
Step 4 — Review Audit Logs for Incident Investigation
Retrieve audit records to identify prior access.
Request:
curl -X GET $BASE_URL/users/{user_id}/containers/{container_id}/events \
-H "Authorization: Bearer YOUR_API_KEY"
Audit logs provide forensic visibility into access history.
Step 5 — Restore Access (Optional)
Access may be restored after incident resolution.
Request:
curl -X DELETE $BASE_URL/users/USER_ID/containers/CONTAINER_ID/block \
-H "Authorization: Bearer YOUR_API_KEY"
Access is restored only for explicitly authorized identities.
Security Properties
This workflow ensures:
-
Immediate revocation of container access
-
Previously authorized users cannot decrypt containers
-
Revocation applies regardless of storage or location
-
Access enforcement is cryptographic and cannot be bypassed
-
Access revocation does not require re-encryption
-
Access policies can be updated dynamically
-
All access attempts are audit logged
-
Containers remain immutable and secure
Comparison to Traditional Incident Response
Traditional incident response relies on:
-
Credential rotation
-
Account disabling
-
Network access controls
These methods cannot prevent access to copied or downloaded files.
Locktera enforces revocation cryptographically.
Unauthorized systems cannot decrypt protected containers even if they possess copies.
Summary
Locktera enables immediate cryptographic revocation of access to sensitive containers in response to security incidents. Access revocation is enforced independently of infrastructure, storage systems, or file distribution. This provides a cryptographic kill-switch that enables rapid incident containment, secure forensic investigation, and controlled recovery, ensuring that sensitive data remains protected at all times.
