We are proud to announce the release of our latest product, InnoVault
– a toolkit that enables developers building websites, apps, and other software to easily embed end-to-end encryption for data security and privacy. 2016 saw a 40% increase in data breaches
over 2015, and the team here at Tozny decided we wanted to do something about it. InnoVault is our answer to protecting user data with the same type of robust measures already used for credit cards, but too often left off of other user data.
We see this as a natural fit for developers who are collecting user data as part of registrations, form submissions, and data sharing over the web. The toolkit is engineered to be developer-friendly and can be set up in a matter of minutes. A few lines of code, tagging the data for protection, and you’re all set to go. InnoVault has a set of software development kits (SDKs) and an accompanying API, which developers can sign up to utilize. Developers can select an SDK in their preferred language, install the library into their code, and utilize simple functions for complex encryption, key management, and policy management. Currently, available SDKs are Java, Ruby, and Go
; we will be releasing additional SDKs over the Summer and Fall. Want to make sure we cover your favorite language? Reach out
, and we can prioritize based on customer requests.
InnoVault is built on Tozny’s E3DB technology
that was developed as part of a 2-year collaborative agreement with NIST. The underlying technology is used by pilot partners under the NIST agreement to secure private data being generated within transit systems, smart buildings, and medical devices. InnoVault packages the E3DB technology for easy use by developers and is available with both free and paid tiers.
InnoVault went live today and you can sign up for your free account by visiting InnoVault’s Website.
How it Works
The InnoVault Web SDK captures Personally Identifiable Information (PII) from HTML forms, encrypts that information in the browser, and stores it such that you can process that information without ever needing to store the PII anywhere but in the InnoVault database.
InnoVault uses Tozny’s end-to-end encryption storage solution, E3DB, to store PII. With end-to-end encryption, your systems and only
your systems have access to the clear text data. You can access the PII stored in a Form using one of Tozny’s E3DB clients. A command-line client is available, as well as SDKs for Ruby, Go, and Java.
and annotate the fields you want to encrypt with “data-innovault-type” or download a complete one-page HTML example.
<form data-innovault-token="REPLACE_WITH_FORM_TOKEN_FROM_CONSOLE" method="post" action="https://yoursite.example/contact">
<input type="text" name="fullname">
<input type="text" data-innovault-type="dob">
<input type="text" data-innovault-type="ssn">
Now when your users submit data, these data elements will be end-to-end encrypted. Our web
library gives you complete control over form submission, so read below for more information about that.
Back End (CLI)
For testing and basic reading and writing, you can use the E3DB command-line client
. Save your secret client key
in ~/.tozny/e3db.json, then when you’re ready to read records, you can run:
> e3db ls -jd -t pii
Back End (Ruby)
Of course, you probably want to handle your form data programmatically using one of the E3DB code libraries
. Save your secret client key
in ~/.tozny/e3db.json, install the SDK with ‘gem install e3db’ then when you’re ready to read records, you can run:
client = E3DB::Client.new(E3DB::Config.default)
client.query(type: 'pii').each do |record|
puts 'Data: ' + record.data[:dob] + ':' + record.data[:ssn]
puts 'Metadata: ' + record.meta.record_id + ':' + record.meta.type
How the Crypto Works
InnoVault is implemented using Tozny’s end-to-end encrypted database, E3DB. Your systems and only
your systems have access to the plain text. An E3DB client is generated in the browser. Each field is encrypted with a unique “data key” and the data keys are encrypted with an “access key”. The access key is then encrypted with your client’s public key so that the client can download and access it later. The “names” of the fields are not
encrypted, in order to support querying. We may add encrypted names soon. Let us know if this is of interest. Read more about InnoVault cyrpto
That’s (no where near) it!
Who knew end-to-end crypto could actually be easy! Read the Quick Start Guide