The Encryption Manifesto

Evervault is building encryption infrastructure for developers. Our mission is to encrypt the web. Our goal is to end data breaches.

We believe that encryption is the most important security and privacy tool developers have to protect their users and customers.

We’ve distilled our vision of an encrypted web down to the following eight principles.

1. Data should always be encrypted

   Sensitive data should never leave an individual’s device unless it has been encrypted in such a way that it can only be processed by a Cage.

   Cages are environments that contain data processing code with no external access.

   Cages should prevent everybody but the data owner from accessing the underlying information, regardless of their position.

   Organizations should never store, replicate or handle any sensitive data without using Cages. This includes storing the content on CDNs or making external backups.

   Cautionary tale: Capital One stored credit card application forms for 106 million people unencrypted in an S3 bucket.

2. Cages should be tamper-proof

   Nobody should have the ability to modify a Cage once information has been sent to it, and they should self-destruct if they are tampered with.

   Sensitive data should be cryptographically bound to the cage itself and modifying the cage should render the encrypted information useless.

   In practice, we use secure enclaves powered by technologies like AWS Nitro Enclaves to keep information encrypted at all times in hardware-secured Cages — even during processing.

   We think software-secured Cages are the future and we’re keeping a close eye on developments in the field of fully homomorphic encryption. It’s really promising technology — we’re just a while away from seeing practical usage in deployments at scale.

3. Cages should use modular cryptography

   Cages should use cryptographic algorithms that are entirely modular, allowing them to adapt to changes in the threat landscape over time.

   As computers become faster and new threats to cryptography like quantum computing emerge, we think it’s crucial that Cages can keep sensitive data secured regardless of advancements in adversarial approaches.

   We closely monitor developments in research such as post-quantum cryptography and do our best to provide developers with the tools to integrate the cutting edge of privacy technologies into their products.

4. Data should be governed by the laws of mathematics

   The judicial approach is poorly enforced, creates confusion and leads to misinterpretation.

   We believe that the laws of mathematics — that is, cryptography — are much more robust, and also prevent any external involvement and influence on data collection, processing, storage, and transmission.

   Although we applaud the efforts of various regulatory bodies in passing legislation such as the GDPR, CCPA and ePrivacy, they’re putting the cart before the horse by compelling companies to bake-in data privacy while the right developer toolkit is almost entirely non-existent.

5. Organizations have a revocable lease

   The individual is the ultimate owner of their personal data. Full stop.

   Organizations and companies have a revocable lease on this data in order to provide individuals with the service or product that they request.

   We’re building the infrastructure that ensures that developers and companies have only an ephemeral lease on user and customer data, while still enabling them to provide their service and deliver wonderful user experiences.

6. Support pragmatic privacy

   Developers should strive to use the most secure technology possible without increasing friction for themselves or for their users.

   Threading the needle between practicality and security is hard, and it’s something that people have gotten badly wrong before.

   But, we believe that it’s inevitable that all developers will build encrypted apps. The test is simple: If developers have a choice between building apps with plaintext data and building apps with encrypted data — assuming the developer experience is faster and better — they’ll choose building encrypted apps every time.

7. Integrate into the development stack

   Encryption and Cages should be directly integrated into the stack and infrastructure that developers use to build their application — from day one.

   When a developer sits down to write their software, they might ask questions like “what database should I use?” or “what framework should I use?”. Asking “what Cage should I use?” should be standard, and we expect this to become the new norm over the coming years.

   Our aim is to integrate encryption and Cages into the fabric of internet infrastructure. This means that Cages should run as close to users as possible, and should be as or more performant than existing cloud computing.

8. Don’t hinder the builder

   Privacy is a basic expectation and human right, but it’s something that should never create any friction or slow down the speed of technological advancement.

---

At Evervault, we’re building the encryption infrastructure for years and decades to come, not just the next couple of months.

We think it’s vital that we support the builders and creators of innovative tech to make progress even quicker than ever before. That’s a critical component of the decisions we make on a daily basis.

Keep these eight principles at heart and it's hard to go wrong. The Encryption Manifesto defines the DNA of our product thinking at Evervault — and, more importantly, we believe that it will form the basis of how everyone will think about data privacy and security in the future.