Core Concepts

Application Level Encryption

TozStore provides application-level encryption, which secures your data for its entire life-cycle. Data gets encrypted where it is generated (written) and decrypted where it is consumed (read), providing end-to-end encryption. Data records are encrypted individually, providing powerful, fine-grained access control for sharing and revoking access to data. As a result, the data carries its own security no matter what infrastructure it crosses. Even if data were to leak outside of network infrastructure, gets backed up to an insecure location, or is hacked by an online adversary, the encrypted data remains secure.

Systems that take advantage of encryption to strengthen security typically use infrastructure-level encryption, but not application-level encryption. With infrastructure-level encryption networking or database infrastructure is encrypted, and so data is protected within the infrastructure; however, when the data leaves this infrastructure, or the infrastructure is compromised, security is lost. Infrastructure-level encryption approaches, like Virtual Private Networks (VPNs), protect data in transit and can control access to a network. Anyone with access to the network, has access to the services and all data within those services. Data will no longer be secure if data leaks outside of the network infrastructure or an attacker bypasses standard access control mechanisms.

Application-level encryption provides greater security than infrastructure-level encryption, because the data itself is protected through encryption.

TozStore makes end to end encryption easy with our SDK's and backend platform. The SDK's handle all of the hard parts of application-level encryption for you, so you build your application knowing its data will be secure. Tozny does not have access to your encryption keys and cannot read, recover, or decrypt your data. The real time encryption services provided by Tozny allow you protect plain text, json objects, or large files with minimal overhead. Use TozStore as a second database in your applications for all of your sensitive information.

TozStore can be used as a real time key value store for your sensitive information. Simply store the returned record ID and use our SDK's to compute on the data at run time.

How is your data secured?

We've gone over how data in TozStore is structured, but glossed over the internals of how this data is secured. Three main keys are used to encrypt and protect your data; they are your client key, the access key, and the data key. Starting from the lowest level your data comes in as a plain-text string map.

my_data = { 'key_1':'value_1' , 'key_2':'value_2', 'key_3':'value_3', ... }

From here a symmetric data key is generated for each of the fields in your data object, and it is used to encrypt the incoming plaintext value.

encrypted_value_1 = encrypt(datakey_1, value_1)
encrypted_value_2 = encrypt(datakey_2, value_2)
encrypted_value_3 = encrypt(datakey_3, value_3)

Each data key is then encrypted with the record-type level access key, and stored along with the data.

Finally, the client key is used to encrypt the access key. This encrypted access key is stored in TozStore and associated with a specific record type. The access key can be pulled down later and be used to encrypt future records that share the same record type. The Client private key is maintained and kept a secret by you, the user of the SDK. This ensures that you are the sole owner of the data written to TozStore. No one else is able to decrypt and see the data within TozStore, but you can give access to other users through sharing.

Data Ownership

You are the sole owner of any data that you write to TozStore. More specifically the client that writes data is the only client who can decrypt that data. This is important to remember when creating applications; for example, each device using a mobile application that leverages TozStore will be the only device that can decrypt that data. If another service, your backend, needs to access that data, then access will have to be shared from the device client to your backend client.

To read data between clients, the writer of the data must share records with the reader. All TozStore SDK's provide services to share (and revoke) records between clients.


Our platform allows you to share your encrypted data without needing to send the encrypted data, or worse un-encrypted data, directly to a third party. Instead you can both leverage TozStore to read encrypted data directly from our database. The platform shares records linked by their record type with another client in TozStore. When you share with other users, behind the scenes you're pulling down the encrypted access key from TozStore, decrypting it, and re-encrypting it with the public key of the client you want to share the records with. This new encrypted key, along with an access control policy, is placed into TozStore allowing the third party client to download and decrypt your records. This way you have full control over your data, and it remains encrypted until you or an authorized party decrypts it locally with your respective private keys. See it in action here.

Last updated