Drives can store either public or private data, indicated by the
Drive-Privacy tag on the drive entity.
Drive-Privacy: "<public | private>"
If a Drive Entity is private, an additional tag
Drive-Auth-Mode must be used to indicate how the Drive Key is derived. ArDrive clients currently leverage a secure
password along with the Arweave Wallet private key signature to derive the global Drive Key.
On every encrypted Drive Entity, a
Cipher tag must be specified. The required public parameters for decrypting the data must also be specified with the parameter's tag name prefixed by
Cipher-IV. If the parameter is byte data it must be encoded as Base64 in the tag.
ArDrive clients currently leverage AES256-GCM for all symmetric encryption, which requires a Cipher Initialization Vector consisting of 12 random bytes.
Cipher?: "AES256-GCM" Cipher-IV?: "<12 byte initialization vector as Base64>"
Additionally, all encrypted transactions must have the
application/octet-stream as opposed to
Private Drive Entities and their corresponding Root Folder Entities will both use these keys and ciphers generated to symmetrically encrypt the JSON files that are included in the transaction. This ensures that only the Drive Owner (and whomever the keys have been shared with) can open the drive, discover the root folder, and continue to load the rest of the children in the drive.
Check the crypto source code in ArDrive-Core-JS for the methods needed to encrypt and decrypt private Arweave File System data.