Verifiable Credentials can be used to store sensitive information. In such cases, it’s crucial to use encrypted credentials to ensure data privacy and security.

The encryption process is designed so that only the credential subject and the credential issuer can decrypt the credential. This ensures that sensitive information is only accessible to the relevant parties.

Once the credential is decrypted, it can be verified by anyone. This allows for the credential’s authenticity to be confirmed while still maintaining the privacy of its content.

The process of encryption and decryption can be automated using the Crossmint API and SDK. This provides a seamless and secure way to handle sensitive information within Verifiable Credentials.

Encryption will make credential issuance and retrieval slower due to the encryption and decryption process.

Create an encrypted credential template

When creating a template, you can specify an encryption parameter to determine the encryption modality you will use. The possible values for this parameter are:

  • crossmint-recoverable: This option is ideal when users prioritize the convenience and security of having a fallback recovery mechanism. Crossmint will take care of encrypting the credential. The user will be required to prove ownership of the subject wallet to decrypt the credential. As a fallback mechanism, the key is also shared with the credential issuer.
  • decentralized-lit: This option is better suited for users who prioritize full decentralization and privacy. The credential is encrypted and decrypted using the Lit protocol. The user will be required to prove ownership of the subject wallet to decrypt the credential.
  • none: The certificate is not encrypted.

For example, the encryption field part of the template creation request below is set to crossmint-recoverable.

{
    "metadata": {
        "name": "Template Name",
        "description": "Encrypted credentials template"
    },
    "chain": "polygon",
    "credentials": {
        "type": "MyCustomType",
        "encryption": "crossmint-recoverable"
    }
}

During credential creation, the Crossmint API encrypts the credential and sets an access rule that only the credential subject and the credential issuer can decrypt the credential.

Credentials issued from this template will be encrypted for you. Behind the scenes:

  • The Crossmint API encrypts the certificate’s private data and sets an access rule that only the credential subject and issuer can decrypt the credential.
  • Crossmint triggers a webhook to the issuer after a successful credential creation.
  • Issuer receives via webhook the credential content and the encryption key.
  • As a fallback a copy of the encryption key is sent to the issuer.

Encrypted credential object

An encrypted credential consists of a ‘credentialId’ and a base64 encoded encrypted payload.

{
    "credentialId": "urn:uuid:<credential_id>",
    "payload": "base64_encoded_cipher_text"
}

Retrieve an encrypted credential

You can leverage the standard retrieval Crossmint API endpoint to retrieve an encrypted credential: GET https://staging.crossmint.com/api/v1-alpha1/credentials/{credentialId}

Hitting the GET credentials/{credentialId} endpoint as the issuer will automatically decrypt the credential for you and return both the clear and ciphertext.

In case of successful autodecryption, the response object will be:

{
    "encryptedCredential": {
        "credentialId": "urn:uuid:<credential_id>",
        "payload": "base64_encoded_cipher_text"
    },
    "unencryptedCredential": "<credential_obj>",
    "decryptionError": undefined
}

For information on how to decrypt a credential, see here.

Credential StorageDelegated Signature