RFC: Client-Side Encryption

[fforbeck]

Preview

Problem: Our current encryption requires users to manage crypto wallets & has no fallback if Lit Protocol is down. This blocks mainstream adoption.

Solution: Add social login authentication (Google/Discord/etc) via Lit Providers + PKPs, and use our Gateway as fallback system that works when Lit is unavailable. Storacha pays all crypto costs transparently.

Key Benefits:

• Zero crypto knowledge needed - users authenticate with existing social accounts
• Browser compatibility - works in web apps, not just Node.js
• Resilient architecture - files accessible even during Lit outages
• Security improvements - fixes current revocation gaps

Impact: Transforms encryption from "developer power-user feature" into mainstream privacy solution that competes with centralized providers on UX while maintaining security through client-side encryption.

[BravoNatalie]

Why not give customers the option to integrate their own KMS solution?
I know it would add some complexity, but it could help reduce our role as a centralized party in the privacy setup, at least from the perspective of our direct customers. It might also lower the cost for them to use private data.

[fforbeck]

Great idea. I just don't know what it would require in terms of time and development effort. I believe we could start simple with one cloud provider’s KMS (e.g., Google KMS). Then, if demand grows, incrementally add Bring Your Own Key as a premium enterprise feature.

[BravoNatalie]

I think that if this is something we might want in the future, then during development we could prioritize implementing it with an interface, and use the Google KMS solution as an adapter. That way, it keeps things flexible and it shouldn’t require too much effort.

[alanshaw]

Do we need to restrict gateway access to Google KMS? Can it also do the Lit flow?

[alanshaw]

Suggestion: offer compliance/hybrid to business plan holders only.

[fforbeck]

I think it makes sense to offer the Compliance tier for Business plan holders only, but the Hybrid tier could be beneficial for Lite users as well, because they will have Lit and may want a fallback strategy that doesn't rely on Lit only. WDYT?

[alanshaw]

Can you speak to how this works? How does Lit know a minted PKP should be added to our allowlist?

[fforbeck]

This is described in section 2.3 Payment Delegation System, but every time a new user is onboarded, we need to send a request to the Payment Delegation System API to include that new PKP as a payee that will consume credits from the Storacha Payer account.

[alanshaw]

The gateway based decryption has been pitched as a fallback if Lit is unavailable up until this point. Is gateway decryption a feature in itself? Can the gateway use Lit also? Why would the gateway not just return the decrypted DEK and let the client do the decryption as before?

So the question is whether "gateway" needs to be a part of this or if we just run a "trusted Lit fallback server" that you make the same request to, should the Lit request fail.

Separately, how does the key get in Google KMS as well as Lit? How does this fallback work?

[fforbeck]

Is gateway decryption a feature in itself?

Yes.

Can the gateway use Lit also?

Gateway could technically use Lit, but the whole point is to keep it as a reliable fallback separate from Lit (in case Lit becomes expensive or unstable).

Why would the gateway not just return the decrypted DEK

Great idea 🔥 We could still do client-side decryption as before, and it would preserve end-to-end encryption. I think it would cut the costs and simplify the decryption flow, the only thing that we would need to implement would be the Access Control - to return the DEK only if that request is authorized to decrypt the content. Also, for enterprise customers, we would need to check the compliance requirements. I liked this approach, sounds better, and we could return the DEK encrypted with the issuer's public key.

[alanshaw]

I guess you are looking for this to land - #60

[fforbeck]

Sweet! That's exactly what we need - I was thinking about limiting this usage to the CLI and SDK, but with this RFC in place, we can enable it for direct HTTP requests. Super cool!

[alanshaw]

You might want to put these in an array to imply a desired ordering?

[alanshaw]

What is it that stops a user going direct to google to get the key?

[fforbeck]

projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/SPACE_ID is just a pointer, not a credential or access token. We control the KMS, and we need to grant access via IAM credentials for our services to access it, so the users can't fetch it.

[alanshaw]

Should this be encrypted with the issuer public key?

[fforbeck]

YES! Good call!

[alanshaw]

What is the difference between LitSDK and Lit Protocol in these diagrams?

[fforbeck]

Same thing. I just missed that after several updates.

[fforbeck]

Do we need to restrict gateway access to Google KMS? Can it also do the Lit flow?

Gateway probably shouldn't decrypt via Lit. The idea is exactly to have a separate, reliable path (via Google KMS) if Lit is down or pricey. Also, mixing Lit into Gateway might complicate compliance stuff for enterprise customers. I think we would need more research to confirm this.

[BravoNatalie]

I think this definition is a bit confusing, especially since the docs also mention that PKPs are NFTs.
So I would also add this:

The PKP is represented as an NFT, and whoever owns this NFT controls the key pair and can set custom signing logic or access rules.
ref: https://developer.litprotocol.com/user-wallets/pkps/quick-start#mint-a-pkp-and-add-permitted-scopes

[BravoNatalie]

I understand that we’re going to sponsor their usage, but I was wondering, beyond the plans that include access to private data, do we have a defined quota for capacity credits included in each plan? And will there be an extra charge if the user exceeds that limit?
Basically, what’s the maximum amount of capacity credits we’re allowing per plan?