Announcing Encryption Groups with IAM

Easy Encrypted Sharing for Teams

Collaboration is hard enough without having to worry about security. That’s why Tozny provides both identity management and end-to-end encryption for developers and enterprises alike. In the Tozny platform:

  • Every user has an identity with role-based access control and single sign-on capabilities,
  • Every identity has a strong encryption key for application-layer data privacy, and
  • Users can share encrypted data between each-other.

With Tozny, you always know who you are collaborating with, and you know that the data you’re sharing is secure.

As part of our ongoing effort to make the easiest possible software development kits for end-to-end encryption, we’re excited to announce we’ve recently added Encryption Groups to the platform. Now you can do end-to-end sharing of structured data or unstructured objects within trust groups, and leverage identity and key management for other protocols like WebRTC.

Encryption Groups can be anything: For example, participants in a video conference, administrators sharing API keys, or researchers in medical trials accessing sensitive data.

Sharing Between People Without Groups

With our TozStore product, all data is end-to-end encrypted, and by default, no one but the owner can access the data. Writing an encrypted record is easy. Tozny takes care of both the asymmetric key management and the symmetric key generation, as well as encryption and data signing:

    • record_type = ‘contact’
    • data = {
      • ‘first_name’: Alice,
      • ‘last_name’: ‘Snow’,
      • ‘phone’: ‘555-555-1212’


  • record = client.write(record_type, data)

Then sharing that record with a trusted party is even simpler. TozStore takes care of all the key management, including fetching and verifying the other party’s public key:

  • client.share(record_type,””)

Sharing with Encryption Groups

But secure sharing isn’t just between individuals. More and more, we are sharing private or sensitive data among teams, friends, and family. That’s why we’ve added Encryption Groups.

Encrypt Groups extends our one-on-one sharing interface with a simple group management capability. Any identity in our system can create a sharing group, add parties to that group, and share data among parties.

  • my_friends = [“”,
    • “”,
    • “”]
  • client.createGroup(“friends”)
  • client.addToGroup(“friends”, my_friends)
  • client.shareWithGroup(record_type, “friends”)

The creator of a group becomes its manager automatically and can add and remove members or share and unshare data. Enterprise users can automatically include a designated administrator key for inclusion in a group. Encryption enforces access control, and is backed up with user-based and role-based API controls.

Encryption Groups provides a flexible but straightforward interface for developers to build complex end-to-end encryption applications without being an encryption expert.

Interfacing with WebRTC Video or Other Protocols

Let’s say that you already have an encryption protocol, but you still need identity management, key management, and group key exchange. For instance, a streaming protocol like WebRTC, has a well defined framework for end-to-end encryption of streaming data, but there is not a universal or standardized protocol for doing key establishment and generation across different clients (browsers, apps) running on different platforms (Windows, mac, server side). Our new SDKs leverage the asymmetric group key for establishment and reestablishment of symmetric keys, and Group management automatically does the re-keying when removing members.

    • client.addToGroup(“call_group”, my_friends)
    • session_key = client.currenSessionKey(“group_call”)
    • # Each client can now use the group session key


  • client.removeFromGroup(“”)
  • session_key = client.currentSessionKey(“group_call”)
  • # Each client can now use the group session key

With Tozny’s platform, you can leverage identity management, end user keys, and Encryption Groups to interface with any crypto system.

Cryptographic Approach

Every identity in TozID has its own asymmetric keypairs, even identities whose keypairs are derived from passwords. This means that every user can encrypt, sign, and securely share data. Our SDKs implement that by facilitating key management automatically e.g., within the secure enclave of mobile devices for end-users or in a network KMS for services.

For bulk encryption, we use fast symmetric keys, and for access control, we use intermediate keys called “access keys”. Put simply, we’ve extended protocol to include group asymmetric keys. Each group member receives an encrypted copy of the group key. All encrypted keys are stored and managed via our API, making key management automatic.

With this approach, it’s easy for end-users since key management is automatic (or in some cases, their password gets converted to a key). It uses simple standard cryptographic primitives, it’s fast due to the use of symmetric encryption, and it doesn’t require re-encryption of data objects that may be stored long-term. All of this leads to efficiency and simplicity.


Whether you’re sharing sensitive files, API keys, or streaming video, Tozny’s new Encryption Groups feature will simplify complex key management and distribution for your end-user application or your enterprise users. Drop us a line at to chat about how we can help make your users and data more secure.