Verifiable Credentials (VC) can be used to store sensitive information. In such cases, it’s crucial to use encrypted credentials to ensure data privacy and security.

The encryption process is designed so that only the credential subject and the credential issuer have the ability to decrypt the credential. This ensures that sensitive information is only accessible to the relevant parties.

Once the credential is decrypted, it can be verified by anyone. This allows for the credential’s authenticity to be confirmed while still maintaining the privacy of its content.

The process of encryption and decryption can be automated using the Crossmint API and SDK. This provides a seamless and secure way to handle sensitive information within Verifiable Credentials.

NOTE: Encryption will make credential issuance and retrieval slower due to the encryption and decryption process.

Create an encrypted credential template

To issue encrypted credentials, simply change encrypted field to the template creation request to be decentralized-lit.

{
    "metadata": {
        "name": "Template Name",
        "description": "Encrypted credentials template"
    },
    "chain": "polygon",
    "credentials": {
        "type": "MyCustomType",
        "encryption": "decentralized-lit"
    }
}

Credentials issued from this template will be encrypted by using the lit protocol.

Encrypted credential object

An encrypted credential consists of a ‘credentialId’ and a base64 encoded encrypted payload.

{
    "credentialId": "urn:uuid:<credential_id>",
    "payload": "base64_encoded_cipher_text"
}

Retrieve an encrypted credential

All standard retrieval endpoints are available. GET https://staging.crossmint.com/api/unstable/credentials/{credentialId}

In case of successful autodecryption the response object will be:

{
    "encryptedCredential": {
        "credentialId": "urn:uuid:<credential_id>",
        "payload": "base64_encoded_cipher_text"
    },
    "unencryptedCredential": "<CREDENTIAL_OBJ>",
    "decryptionError": undefined
}

Decrypt a credential

It is possible to seamlessly decrypt a credential using the @crossmint/client-sdk-verifiable-credentials SDK. Only the credential subject and the credential issuer wallets can decrypt the credential.

NOTE: Hitting the GET credentials/{credentialId} endpoint as the issuer will automatically decrypt the credential for you and return both the clear and chipertext

Encryption Details

Encryption and decryption are performed leveraging the LIT protocol.

This allows for attribute-based encryption and decryption. During credential creation, the Crossmint API encrypts the credential and sets an access rule that only the credential subject and the credential issuer can decrypt the credential. The Crossmint SDK wraps the LIT protocol to provide a seamless decryption experience. It uses the user’s wallet to authenticate itself to the LIT protocol and then decrypts the credential.