1. Tresor data encryption
For encrypting the uploaded files and folders in your tresors, Tresorit uses a symmetric key encryption algorithm, more specifically AES-256, in OpenPGP CFB mode described in RFC2440. All files have different, independent and freshly generated 256-bit encryption keys. Each version of a file has a random IV, so even if you change one bit in a large file, the encrypted form changes completely, ensuring that neither Tresorit, nor others have any information about your changes. Folders, including file names, are encrypted the same way. Integrity of all ciphertext is protected with HMAC-SHA-512.
1.1. Agreement keys
It is a common technique in cryptography to protect symmetric keys with asymmetric encryption, such as RSA. Tresorit also employs this scheme by encrypting the AES-256 tresor encryption key with RSA-4096 algorithm using the public key (called the agreement public key) of the tresor members. The encryption key is is encrypted as many times as many members are in the tresor, using the personal agreement public key of each member.
This way all tresor members are able to decrypt the encryption key needed to access the tresor’s contents using their own agreement private key, but they don't employ any kind of common secret, only standard asymmetric encryption methods. The agreement private keys are stored securely in the users' roaming profile.
Every user has multiple agreement keys (public/private pairs). Periodically and on certain operations, like password change, new secrets are generated into your roaming profile, including a new agreement key pair, which is updated in all your tresors to ensure cryptographic access revocation of your old password.
1.2. Group Key File
Each tresor contains a special file in the cloud called the group key file, containing the encryption key protected by each member's agreement public key. This file serves as the starting point when accessing a tresor. When a member downloads the contents of a tresor, their Tresorit application first downloads the group key file, decrypts the encryption keys with its own agreement private key, and uses it to decrypt the root folder and the tresor’s content.
Our servers won't allow non-tresor members to download this file. Even if other users have access to the group key file, they still won't be able to access tresor contents, because they don't have the RSA private key to decrypt the tresor encryption key. This is a good example of how Tresorit employs multiple layers of protection around your valuable data, always backed up by strong cryptographic routines.
2. Tresor sharing
Sharing a tresor with other users works with the manipulation of the encrypted encryption key stored in the group key file.
As mentioned before, there is an additional level of protection built in our servers which only allow tresor members to access any encrypted content belonging to a tresor. These access control privileges are also manipulated when sharing a tresor or revoking access to it. The access control protection is similar to what you would receive from other cloud providers, like Dropbox - server checks an access control table before each file operation request.
2.1. Inviting a user to a tresor
When you invite someone to a tresor, you download their agreement public key embedded in a X.509 certificate from our servers. With the help of our PKI, various checks on this certificate ensure that the private key of this certificate belongs to the invitee. The inviter then uses this public key to encrypt the tresor's encryption key yet again, appends it to the group key file and then uploads the group key file to the cloud. At the same time, the Tresorit servers are notified to grant access privilege to the new member. When invitation process is complete, the tresor is appended to the invitee’s tresor list, who can now download the group key file and use it to access the contents of the tresor as described above.
It’s important that your personal data (e.g. your name) is not included in your certificate. This guarantees that someone just inviting you will not automatically receive your personal data. Your agreement private key is never transferred to any other user, this secret always remains under your control (stored in your roaming profile and also in your local profile for quicker access).
2.2. Removing a user from a tresor
When you remove a member from a tresor, a new AES-256 tresor encryption key is generated. From this point on, this key will be used to encrypt tresor contents (already uploaded contents are not re-encrypted). Then the group key file is regenerated by encrypting this new encryption key with the agreement public keys of the remaining members, and the removed member will be left out. The new group key file is uploaded, and at the same time our servers are notified that the access permission of the removed user should be revoked for the given tresor.
This way, the removed user will not be able to access the tresor contents with the old encryption key. They won’t be able to download the new encryption key from the group key file, and even if they had somehow downloaded it, it wouldn’t help them decrypt the file/folder encryption key.