Portable Encryption overview
KnoxCall’s Portable Encryption turns any value into a single, self-describingkc: ciphertext string you can drop into a database column, a log line, or a message queue with no schema change — and which carries everything needed to decrypt it except the private key.
It is public-key encryption: you encrypt against a tenant public key, and only KnoxCall (holding the matching private key, wrapped under your tenant master key) can decrypt. That means plaintext can be sealed before it ever reaches KnoxCall — including in a browser.
Use it for:
- “Encrypt anything, store it anywhere” — PII, PHI, PAN, API responses, free-form blobs. The ciphertext is portable across systems.
- Structure-preserving encryption — send a whole JSON object; get the same shape back with every scalar leaf replaced by a
kc:string. - Frontend scope reduction — seal card/PII data in the page so it never touches your servers (paired with the browser SDK).
- Crypto-agility — every
kc:value carries its scheme version, so the format can evolve without breaking stored data.
Quick example
key, KnoxCall auto-provisions a default ecdh-p256 key on first use — the happy path is zero-config. To pin a key, pass "key": "my-key" (create it with key_type: "ecdh-p256" via Crypto Keys).
Data roles
Pass an optionalrole on encrypt to bind a data-role into the ciphertext (e.g. pci, eu). The role is folded into the key derivation, so the value can only be decrypted by presenting the same role — the policy travels with the data, not just at the gateway.
Client-side reveal without an API key
Browsers and agents should never hold an API key. To let a frontend reveal one value, your backend mints a single-use, payload-pinned capability token and hands it over:action: "detokenize" → POST /v1/client/detokenize.
Dual-custody vaults
A vault created withcustody_mode: "dual" issues kc: ciphertext as its token and stores no value at all — you keep the ciphertext, KnoxCall keeps only the key. A breach of KnoxCall alone leaks nothing, and detokenize is a pure decrypt (no database lookup).
Learn more
- Ciphertext format & cryptographic spec — the exact wire format and algorithms.
- Encryption threat model — what the design defends against, and the trust boundaries.