The Storage Kit
Discontinuation Notice!
Important: Please be informed that, beginning from December 2023, the Storage Kit will no longer receive new features. Furthermore, the Storage Kit is planned for discontinuation by the end of Q3 2024.
However, all functionalities offered by the Storage Kit will be integrated into our new libraries, APIs, and apps in the walt.id identity repo. Giving you more modularity, flexibility and ease-of-use to build end-to-end digital identity and wallet solutions.
Read the transition guide here.
For any clarification or queries, feel free to contact us as we aim to make this transition as smooth as possible.
We are excited to announce the Storage Kit - a zero trust solution for all things data storage and data sharing. In other words, this new product enables encrypted and distributed data storage as well as privacy-preserving data sharing. It can be used to store keys, identity data or other secrets on servers and edge devices and it can underpin any application.
Following the SSI Kit (which makes it easy for developers to use Self-Sovereign Identity) and the Wallet Kit (which enables developers to launch identity wallets and supercharge apps with SSI capabilities), we are expanding our portfolio with an infrastructure tool that complements our existing products but can also be used as a stand-alone storage solution by any third party application.
Let’s dive in ...
The Data Control Dilemma (or Why we built the Storage Kit)
One of the main promises of Decentralized Identity is to give people and organizations control over their data. The idea is to replace the current digital identity paradigm - in which our data is fragmented and locked into hundreds of databases controlled by service providers - with a user-centric approach that allows us to control and “bring our own identity”. (You can read more about this topic and Self-Sovereign Identity here.)
The problem is that even in user-centric systems, data control is not guaranteed considering the different ways by which such systems can be implemented. At the end of the day, all hinges on the way we manage our private keys and by extension our identity data and digital assets like NFTs. In other words, we need to look at the different types of applications (“wallets”) we use to manage keys:
Custodial wallets - Keys are stored by a service provider, which makes custodial wallets convenient and easy to use (e.g. key recovery, data back-up, insurance). However, users depend on a service provider who may charge fees or experience security incidents.
Non-custodial wallets - Keys are under the sole control of the user, often stored directly on a mobile device. While this approach ensures independence from third parties, users have to take care of their keys and data themselves. Simply put, there is no one a user can call if something goes wrong.
We believe that many people, particularly less technical groups, will use custodial wallets. (This is why we launched the Wallet Kit, which can turn any application into a custodial wallet.) However, we also believe that it is important to make sure that people have as much control over their data as possible. The goal is to offer users the advantages of custodial wallets without the drawbacks. We must strive towards the optimal balance between convenience and control. In particular, we must minimize vendor dependence, avoid lock-in effects, mitigate security risks and prevent opportunities for malicious behavior (e.g. data misuse) on the side of service providers.
We built the Storage Kit as a solution to this Data Control Dilemma. It offers developers a way to enable non-custodial or hybrid wallets that can leverage encrypted custodial storage (server-side) for secrets like additional keys or identity data.
What is the Storage Kit?
The Storage Kit offers a zero trust data storage infrastructure for any application. The fact that it takes away the need to trust service providers like custodial wallet vendors (hence “zero trust”) is crucial for balancing convenience with data control (what we called the “Data Control Problem”). The following capabilities and examples illustrate this:
Control: Users enjoy data portability so that they can switch service providers at any time which avoids lock-in effects, minimizes users’ dependence and creates a healthy balance of power between users and service providers.
Security: Data is encrypted at rest and in transit as well as scattered into chunks which are stored in a distributed fashion, so that neither software nor hardware providers can utilize data even if they wanted to. Moreover, data integrity is protected everywhere. Encryption is used as a means to mitigate security risk and prevent opportunities for malicious behavior.
Privacy: Encrypted search, selective disclosure and zero-knowledge proofs (ZKPs) enable diverse ways for sharing data in a privacy-preserving way for potentially any use case.
Compliance: Alignment with regulatory requirements facilitates compliance with data protection regulations like the GDPR, such as by encoding consent-driven data sharing and the ability to withdraw consent at any time. [1]
On top of that, the Storage Kit is simply a powerful, all-in-one data storage solution that surpasses traditional storage products (like SQL databases) based on a diverse set of features which are delivered out-of-the-box such as:
Vault replication - e.g. backup to multiple vaults; zero-downtime reliability and availability through redundancy over multiple vaults; load balancing with custom strategies.
Client replication - e.g. multi-client and multi-device support; backup and seamless data sharing over multiple clients;
Notifications - incl. selective auditing for vaults (clients may opt-in to notification channels)
Important things you need to know about the Storage Kit:
It is written in Kotlin/Java. It can be directly integrated (Maven/Gradle dependency) or run as a RESTful web-service. A CLI tool allows you to run all functions manually.
It is open source (Apache 2). You can use the code for free and without strings attached.
It abstracts complexity and low-level functionality via different interfaces (CLI, APIs).
It is a holistic solution that allows you to build use cases “end-to-end”. There is no need to research, combine or tweak different libraries to build pilots or production systems.
It is modular, composable and built on open standards allowing you to customize and extend functionality with your own or third party implementations and to prevent lock-in.
It is flexible in a sense that you can deploy and run it on-premise, in your (multi) cloud environment or as a library in your application.
How it works?
The Storage Kit is an infrastructure product that enables encrypted and distributed data storage as well as privacy-preserving data sharing. It can be used to store keys, identity data or other secrets on servers or edge devices like smartphones and it can underpin any application like wallets.
From a more technical perspective, the Storage Kit enables the set-up of “Vaults” - also called Confidential Data Stores, Encrypted Data Vaults (EDVs) or Identity Hubs -, which are created through client requests and can be hosted by different storage providers. A user can use one or multiple clients to access their Vaults from one or multiple devices. Each client may be connected to one or multiple Vaults. Also, different services may access Vaults based on users’ authorizations.
Looking at the architecture from a functional perspective, the Storage Kit can be segmented into three layers:
Layer 1 consists of a client-server system with capabilities for data encryption.
Layer 2 consists of a system for sharing data, versioning, replication and privacy-preserving search.
Layer 3 consists of high-level server-side functions like notifications.
You can find more technical information in our documentation.
Relation to our other Products
We believe in a multi-ecosystem future such that there will be a diversity of identity ecosystems which differ in various ways - from the technologies they employ (e.g. blockchains) to the rules and incentive structures by which they are governed. As a result, we designed our products to be as open, flexible and composable as possible in order to integrate and abstract potentially any ecosystem in the future.
Consequently, our products already provide an abstraction layer for key and data storage which allows you to choose between our “built-in” implementations (e.g. file and database storage) or any third party solutions (e.g. hardware security modules/HSM).
Now, the Storage Kit gives you a new data storage infrastructure to choose from and a way to enhance our other products like the SSI Kit or Wallet Kit. At the end of the day, it is a powerful, zero trust alternative to third party data storage solutions and you can deploy it on any hardware or use our managed cloud service without having to worry about data control, data breaches, misuse or lock-in effects.
How to get started?
You can get started with the Storage Kit in two different ways
Self-Managed: Deploy the Storage Kit on-premise or in your cloud environments and connect your applications via the REST APIs or integrate our libs directly with your applications or simply run it from the console via the CLI tool. Check out our GitHub for more info.
Managed Service: We deploy, run and maintain the Storage Kit for you and make it accessible via high-level APIs so you do not need to worry about anything.
In any case, we offer a broad range of services to make life easier for you like consulting, development / integration of pilots and production systems or technical support.
Want to learn more?
Contact us - we are happy to help.
[1] General Data Protection Regulation: Articles 15 - Right of access by the data subject: Clients may access all data stored in their vault at any time; Article 16 - Right to rectification: Clients may update their data stored in their vault at any time, with your applications automatically using the new, corrected data; Article 17 - Right to erasure: Clients can delete their vault at any time; Article 18 - Right to restriction of processing: Clients may withdraw consent for specific services of yours at any time; Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing: Clients can easily opt-in to notifications concerning all updates of data in their vaults; Article 20 - Right to data portability: Clients may read the information stored about them at any time Article 21 - Right to object: Clients may withdraw consent for specific services of yours at any time; Article 22 - Automated individual decision-making, including profiling: Clients may withdraw consent for specific services of yours at any time.