Read revocation

Admins can revoke read access to future messages submitted to the bucket by generating a new bucket key pair and instructing contributors to use the new public encryption key (PKB’). They then redistribute the new bucket-level decryption key (SKB’) to users who should retain read access. This message would be encrypted to PKB’ as well so that it can be accessed by the future but not past set of Readers.

Readers who are not provided with SKB’ can still decrypt messages they previously had access to but not new ones. Newly added readers can gain access to historical data by including previously used encryption keys in the SKB distribution message, or if each distribution message of a new decryption key SKB’ also includes the previous decryption key SKB.

PreviousSKB Distribution NextSKB Creation

Last updated 8 months ago