Encryption Guide

Overview

Anchora provides multiple encryption options to protect your data. While the blockchain hash proves data integrity, the underlying data can be encrypted to ensure only authorized parties can read it.

• Server-side encryption - Anchora encrypts your data using your provided key
• Client-side encryption - You encrypt data before sending to Anchora
• Zero-knowledge mode - Anchora never sees your plaintext data

Encryption Methods

Anchora supports industry-standard AES-256-GCM encryption for all encrypted records. This provides both confidentiality and authenticity.

Server-Side Encryption

The simplest approach is to let Anchora handle encryption. Provide your encryption key with the request, and Anchora encrypts the data before storing.

curl -X POST https://api.anchora.io/v1/anchor/encrypted \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "data": {
      "patientId": "P-12345",
      "diagnosis": "Confidential medical record",
      "timestamp": "2024-01-31T10:00:00Z"
    },
    "encryptionKey": "your-32-character-encryption-key!!"
  }'

Key Requirements

• Exactly 32 characters (256 bits) for AES-256
• Use a cryptographically secure random generator
• Store keys in a secure key management system (AWS KMS, HashiCorp Vault, etc.)
• Never transmit keys in logs or error messages

Client-Side Encryption

For maximum security, encrypt data on your server before sending to Anchora. This ensures Anchora never sees your plaintext data.

const crypto = require('crypto');

function encryptData(data, key) {
  const iv = crypto.randomBytes(16);
  const cipher = crypto.createCipheriv(
    'aes-256-gcm',
    Buffer.from(key),
    iv
  );

  let encrypted = cipher.update(
    JSON.stringify(data),
    'utf8',
    'base64'
  );
  encrypted += cipher.final('base64');

  const authTag = cipher.getAuthTag();

  return {
    encrypted: encrypted,
    iv: iv.toString('base64'),
    authTag: authTag.toString('base64')
  };
}

// Encrypt sensitive data
const sensitiveData = {
  ssn: '123-45-6789',
  accountNumber: '9876543210'
};

const encryptionKey = crypto.randomBytes(32);
const encryptedPayload = encryptData(sensitiveData, encryptionKey);

// Send encrypted data to Anchora
const response = await fetch('https://api.anchora.io/v1/anchor', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    data: encryptedPayload,
    metadata: {
      encryptedClientSide: true,
      algorithm: 'AES-256-GCM'
    }
  })
});

Decrypting Records

When retrieving encrypted records, provide your encryption key to decrypt the data.

curl -X GET https://api.anchora.io/v1/records/rec_abc123xyz789 \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "X-Encryption-Key: your-32-character-encryption-key!!"

Decryption Response

{
  "recordId": "rec_abc123xyz789",
  "data": {
    "patientId": "P-12345",
    "diagnosis": "Confidential medical record",
    "timestamp": "2024-01-31T10:00:00Z"
  },
  "hash": "0x7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa...",
  "status": "CONFIRMED",
  "encrypted": true
}

Key Rotation

Periodically rotating encryption keys is a security best practice. Anchora supports key rotation without re-anchoring.

curl -X POST https://api.anchora.io/v1/records/rec_abc123xyz789/rotate-key \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "currentKey": "old-32-character-encryption-key!!",
    "newKey": "new-32-character-encryption-key!!"
  }'

Best Practices

• Use a KMS: Store encryption keys in AWS KMS, Google Cloud KMS, or HashiCorp Vault
• Separate keys per record type: Use different keys for different data classifications
• Rotate keys regularly: Rotate keys at least annually or after any security incident
• Audit key access: Log all encryption/decryption operations
• Use client-side encryption for PHI: For HIPAA compliance, encrypt data before it reaches Anchora

Supported Libraries