Quickstart API Reference Blog

Encryption Guide

Learn how to use client-side and server-side encryption with Anchora to protect sensitive data before anchoring to the blockchain.

Overview

Anchora provides multiple encryption options to protect your data. While the blockchain hash proves data integrity, the underlying data can be encrypted to ensure only authorized parties can read it.

  • Server-side encryption - Anchora encrypts your data using your provided key
  • Client-side encryption - You encrypt data before sending to Anchora
  • Zero-knowledge mode - Anchora never sees your plaintext data

Encryption Methods

Anchora supports industry-standard AES-256-GCM encryption for all encrypted records. This provides both confidentiality and authenticity.

Method Algorithm Key Length
Default AES-256-GCM-PBKDF2 32-64 characters

Server-Side Encryption

The simplest approach is to let Anchora handle encryption. Provide your encryption key with the request, and Anchora encrypts the data before storing.

Server-side encryption request 
curl -X POST https://api.anchora.co.in/v1/anchor/encrypted \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "data": {
      "patientId": "P-12345",
      "diagnosis": "Confidential medical record",
      "timestamp": "2024-01-31T10:00:00Z"
    },
    "encryptionKey": "your-32-character-encryption-key!!"
  }'
Key Management: Store your encryption keys securely. Anchora does not store your encryption keys - if you lose the key, the data cannot be decrypted.

Key Requirements

  • 32-64 characters for AES-256-GCM-PBKDF2
  • Use a cryptographically secure random generator
  • Store keys in a secure key management system (AWS KMS, HashiCorp Vault, etc.)
  • Never transmit keys in logs or error messages

Client-Side Encryption

For maximum security, encrypt data on your server before sending to Anchora. This ensures Anchora never sees your plaintext data.

Client-side encryption (Node.js) 
const crypto = require('crypto');

function encryptData(data, key) {
  const iv = crypto.randomBytes(16);
  const cipher = crypto.createCipheriv(
    'aes-256-gcm',
    Buffer.from(key),
    iv
  );

  let encrypted = cipher.update(
    JSON.stringify(data),
    'utf8',
    'base64'
  );
  encrypted += cipher.final('base64');

  const authTag = cipher.getAuthTag();

  return {
    encrypted: encrypted,
    iv: iv.toString('base64'),
    authTag: authTag.toString('base64')
  };
}

// Encrypt sensitive data
const sensitiveData = {
  ssn: '123-45-6789',
  accountNumber: '9876543210'
};

const encryptionKey = crypto.randomBytes(32);
const encryptedPayload = encryptData(sensitiveData, encryptionKey);

// Send encrypted data to Anchora
const response = await fetch('https://api.anchora.co.in/v1/anchor', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    data: encryptedPayload,
    metadata: {
      encryptedClientSide: true,
      algorithm: 'AES-256-GCM'
    }
  })
});

Decrypting Records

When retrieving encrypted records, provide your encryption key to decrypt the data.

Decrypt a record (POST) 
curl -X POST https://api.anchora.co.in/v1/records/507f1f77bcf86cd799439011/decrypt \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "encryptionKey": "your-32-char-minimum-encryption-key-here"
  }'

Decryption Response

Decrypted response 
{
  "success": true,
  "data": {
    "patientId": "P-12345",
    "diagnosis": "Confidential medical record",
    "timestamp": "2024-01-31T10:00:00Z"
  }
}

Key Rotation

Periodically rotating encryption keys is a security best practice. To rotate keys, decrypt the record with the old key and re-anchor with a new key. The blockchain hash remains unchanged since it was computed from the original plaintext.

Key rotation workflow 
// Step 1: Decrypt with the old key
const decrypted = await fetch(
  'https://api.anchora.co.in/v1/records/507f1f77bcf86cd799439011/decrypt',
  {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${apiKey}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      encryptionKey: 'old-32-character-encryption-key!!'
    })
  }
);

// Step 2: Update mutable fields with the new key
const updated = await fetch(
  'https://api.anchora.co.in/v1/records/507f1f77bcf86cd799439011/mutable',
  {
    method: 'PUT',
    headers: {
      'Authorization': `Bearer ${apiKey}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      updates: { /* your mutable fields */ },
      encryptionKey: 'new-32-character-encryption-key!!'
    })
  }
);

Best Practices

  • Use a KMS: Store encryption keys in AWS KMS, Google Cloud KMS, or HashiCorp Vault
  • Separate keys per record type: Use different keys for different data classifications
  • Rotate keys regularly: Rotate keys at least annually or after any security incident
  • Audit key access: Log all encryption/decryption operations
  • Use client-side encryption for PHI: For HIPAA compliance, encrypt data before it reaches Anchora

Supported Libraries

Language Library Notes
Node.js crypto (built-in) Recommended
Python cryptography pip install cryptography
Java javax.crypto Built-in JCE
Go crypto/aes Standard library
.NET System.Security.Cryptography Built-in