Explain how data encryption works with IPFS.

[johnnymatthews]

IPFS deals with encryption in interesting ways. We need a general overview of how IPFS manages encryption, including:

• Where data is and is not encrypted.
• The difference between transport encryption and content encryption.
• Why IPFS doesn't include encryption at rest.
• Examples of projects that are using IPFS with encrypted data.

This overview should be similar in size and layout to the IPFS Gateway overview. This bounty will likely lead to further investigation and research bounties regarding IPFS encryption.

[autonome]

I'd love to see:

• Diagram of where data is and is not encrypted as it enters and leaves the network by default
• Explanation of transport encryption vs content encryption
• List of example use-cases for which people want content encrypted
• Recommendations for best practices for encrypting data for publication/sharing on IPFS
• Pointers to examples where people building with IPFS have implemented these approaches

Having this in a cookbook format might be really helpful, where builders can read through various recipes.

Having a number of examples for existing common tools and frameworks would be ideal.

[autonome]

@carsonfarmer told a good story about how they're doing encrypted content in Textile, should def reach out for input and source material.

[jessicaschilling]

FYI - @ericlscace might be worth contacting about writing this if we can't do in-house (believe it's in his past professional wheelhouse).

[johnnymatthews]

I actually already had @EricLScace in mind! Pinged him an email yesterday with some initial details. Eric if you're reading this, this is the issue I was talking about :)

[EricLScace]

Emailed you back, Johnny. Let's talk later today/tomorrow.

[carsonfarmer]

Cool yes happy to help out there. Additionally, see this discussion re: IPLD signatures and encryption. There's some traction there that myself and @oed have been pursuing more generally: https://github.com/ipld/js-codec-interface/issues/5

[autonome]

See also ipfs/notes#270

[EricLScace]

@carsonfarmer Thanks for those links. I'll give them a close read before preparing this document. The plan is first to prepare something that explains why IPFS doesn't encrypt data at rest on behalf of the data's users... and to differentiate between encryption at rest vs encryption while in transit. A separate second document (or set of documents) will look into best practices for protecting data in IPFS to the level needed by the nature of the data.

I would value your review of both as each gets into a useful-to-look-at state.

[carsonfarmer]

Happy to review when ready 👍

[ianopolous]

If you want to reference a design for encrypted content on ipfs that has been audited by professional cryptographers (super important for anything in this space), then have a look at Peergos. It also includes access control (granting and revoking R, RW or making public), trustless servers and privacy focused sovereign identity. https://book.peergos.org https://github.com/peergos/peergos

[johnnymatthews]

How's progress @EricLScace?

[yusefnapora]

Here's a link to the dag-jose explainer we talked about in the sync meeting: https://www.memoryandthought.me/golang,/ipfs/2020/09/04/dag-jose-project.html

Also the js implementation repo: https://github.com/ceramicnetwork/js-dag-jose#jwe-encryption-usage

[johnnymatthews]

Tasks

Page set up

• [x] Create a new section header in concepts/privacy called Encryption.
• [x] Rename concepts/privacy to concepts/privacy-and-encryption.
  • [x] Edit the title of the page to Privacy and encryption.
• [x] Add a redirect for /concepts/privacy to /concepts/privacy-and-encryption.
• [x] Update sidebar link to reflect the name and title change.

Encryption content

• [ ] Explain:
  • [x] Where data is and is not encrypted.
    • [ ] Diagram showing where data is and is not encrypted as it enters and leaves the network. This can be created in excalidraw.com
  • [x] The difference between transport encryption and content encryption.
  • [x] Why IPFS doesn't include encryption at rest.
  • [x] Recommendations/best practices for encrypting data for publication/sharing on IPFS.
  • [x] Examples of projects that are using IPFS with encrypted data.