Encryption
Verifiable Credentials (VC) can be used to store sensitive information. In such cases, it’s crucial to use encrypted credentials to ensure data privacy and security.
The encryption process is designed so that only the credential subject and the credential issuer have the ability to decrypt the credential. This ensures that sensitive information is only accessible to the relevant parties.
Once the credential is decrypted, it can be verified by anyone. This allows for the credential’s authenticity to be confirmed while still maintaining the privacy of its content.
The process of encryption and decryption can be automated using the Crossmint API and SDK. This provides a seamless and secure way to handle sensitive information within Verifiable Credentials.
NOTE: Encryption will make credential issuance and retrieval slower due to the encryption and decryption process.
Create an encrypted credential template
To issue encrypted credentials, simply change encrypted
field to the template creation request to be decentralized-lit
.
{
"metadata": {
"name": "Template Name",
"description": "Encrypted credentials template"
},
"chain": "polygon",
"credentials": {
"type": "MyCustomType",
"encryption": "decentralized-lit"
}
}
Credentials issued from this template will be encrypted by using the lit protocol.
Encrypted credential object
An encrypted credential consists of a ‘credentialId’ and a base64 encoded encrypted payload.
{
"credentialId": "urn:uuid:<credential_id>",
"payload": "base64_encoded_cipher_text"
}
Retrieve an encrypted credential
All standard retrieval endpoints are available.
GET https://staging.crossmint.com/api/unstable/credentials/{credentialId}
In case of successful autodecryption the response object will be:
{
"encryptedCredential": {
"credentialId": "urn:uuid:<credential_id>",
"payload": "base64_encoded_cipher_text"
},
"unencryptedCredential": "<CREDENTIAL_OBJ>",
"decryptionError": undefined
}
Decrypt a credential
It is possible to seamlessly decrypt a credential using the @crossmint/client-sdk-verifiable-credentials
SDK.
Only the credential subject and the credential issuer wallets can decrypt the credential.
NOTE: Hitting the GET credentials/{credentialId}
endpoint as the issuer will automatically decrypt the credential for you and return both the clear and chipertext
Encryption Details
Encryption and decryption are performed leveraging the LIT protocol.
This allows for attribute-based encryption and decryption. During credential creation, the Crossmint API encrypts the credential and sets an access rule that only the credential subject and the credential issuer can decrypt the credential. The Crossmint SDK wraps the LIT protocol to provide a seamless decryption experience. It uses the user’s wallet to authenticate itself to the LIT protocol and then decrypts the credential.