Frequently Asked Questions
How is this technology different from solutions that claim end-to-end encryption?
End-to-End encryption is trivial to achieve with any secure encryption algorithm (e.g. AES) if (1) the sender and the recipient(s) had a key shared securely in advance, and (2) no policy controls like time-limit or revocation are needed. SecureShare requires no pre-shared information about the recipient(s) other than what the sender already knows - e.g. email address. There is no list of public keys to maintain, no private key to protect locally, and integration with existing SSO makes using SecureShare across devices very easy. Finally, since the encryption is not based on the recipient’s public key, the recipient’s ability to decrypt any data is automatically revoked with SSO.
How is this technology different from PGP encryption technology?
PGP encryption is a specific case of end-to-end encryption mentioned above. With PGP, the sender has to first obtain the recipients’ public keys and maintain them in a list - like a phonebook. This makes using PGP across devices cumbersome. The data is encrypted directly for a chosen recipient using her key and therefore encryption operation has to be repeated for every recipient. PGP is between sender and the recipient without any third party, and therefore it is impossible to enforce time limits or revoke recipient’s ability to decrypt data that she has not already decrypted.
Can Volterra’s infrastructure, SaaS, or teams get to see my data -- in clear or encrypted form?
No, SecureShare is unique in that Volterra’s infrastructure not only does not ever see the actual data, it does not even see the encryption key that the sender’s client application randomly generates to protect the data. In other words, Volterra does not see clear or encrypted data - everything remains on the users’ local machine during the encryption and the decryption process. During encryption/decryption operations, Volterra collects metadata for compliance, logging, and auditability purposes.
Does Volterra transfer any of my unencrypted information from my device to their cloud?
No, we do not transfer any secret information from the device to the Volterra cloud. All the encryption and decryption of data is completely local to the device.
Does Volterra store any of my encrypted or unencrypted data in its cloud?
No, as stated earlier, Volterra does not transfer and does not store any of users’ secret or encrypted secret in its cloud.
How does Volterra secure my data without transferring any data to its servers?
Volterra locally encrypts the data using well-known cryptographic algorithms (AES-GCM and RSA) and returns the encrypted data to the user. The encryption keys themselves are protected by other cryptographic keys protected by state-of-the-art Key Management System in Volterra SaaS infrastructure.
Should I trust any cloud service with my unencrypted data?
It depends on what information your data contains. If your data is some cat pictures, you can perhaps accept the risk of losing or exposing the data by storing it unencrypted. If you have something more valuable, you may want to assess the risks more seriously. There are plenty of reasons to believe that unencrypted data will be exposed sooner or later no matter which cloud service you use. If you have compliance obligations, then storing in-scope unencrypted data may not be allowed.
What encryption technology is being used?SecureShare using AES-GCM and RSA math to achieve the protection.
What happens if Volterra gets hacked?
We are always on top of all-things-security and do not expect this, but in the absolute worst case scenario, even if Volterra is fully compromised - as in all the keys are accessible - the hacker will have to find the encrypted data (still in customer’s possession) and decrypt it via the hacked route. Unless the hacker has access to the encrypted data AND hacks Volterra to a level where it bypasses all the policy checks AND directly accesses the Key Management System without anyone noticing, no significant risk is posed.
What personal information of mine does Volterra store in its cloud?Volterra stores PII information within its cloud storage - name, email, user-id, billing address, phone number in its cloud. For every API call made by the customer, we encrypt and decrypt the calls and store a log for auditability -- this includes geo-IP location, device type, and device software used to make these API calls. In addition, the customer's credit card information is stored with PCI compliant service from Stripe, Inc.
Can any government agency force Volterra to unencrypt user data?
Since we are not in the business of storing customer’s sensitive information, the government can only get very little help from us with respect to your data.
Why should I use SecureShare if my cloud storage provider is already encrypting all my data?
Volterra SecureShare does not replace any shared/collaboration storage service -- we help you store data in these storage solutions such that you don’t rely solely on these cloud providers for privacy and security of your data. If these storage services are ever compromised (externally or from within) or are forced to hand-over data to any government agency, your data will not be compromised as it is encrypted without relying on your storage provider technology.
Why should I use SecureShare if there are already cloud storage and sharing providers with end-to-end encryption?
End-to-end encryption technology used by some cloud storage providers does a great job in encrypting the file and metadata on users devices so that their cloud servers and storage can never see the data. They also provide controls like how many days can the data be decrypted. However, they moved the problem of securely sharing the data to securely sharing the password that needs to be used to decrypt the data. Volterra SecureShare ensures that the sender does not have to ever worry about creating and securing a “password” that is required to decrypt the data.
Why should I use SecureShare instead of group sharing of passwords from providers like LastPass, Bitwarden, etc?
Unfortunately, shared passwords providers recommend that you encrypt the password with the public key of the user that is not already on their platform. If you want to share a password with a user, the recipient has to enroll on their platform as that is required by the client software to encrypt the secret before storing it in their platform. Moreover, since we don't store any customer data in any vault, we don't suffer from complex security needs of a centralized vault.
Why should I use SecureShare if my messaging provider like WhatsApp or Slack or Signal implements end-to-end encryption?
Some group messaging systems implement end-to-end encryption (eg. Whatsapp, Telegram, or Signal) whereas others only implement client-to-server encryption (eg. Slack). Those systems that provide end-to-end encryption try to ensure that only you and the person you’re communicating with can read what is sent and nobody in between, including the messaging provider, can read the information. This works perfectly for private conversation between two people but there are flaws for groups. For example, WhatsApp’s end-to-end encryption is based on signal protocol that is vulnerable when changes to the group are made - adding and removing members is not end-to-end encrypted. This means that in some cases, if their servers were hacked or someone from the inside is compromised, they can add a member and eavesdrop on the conversation and get access to the data. This technique can also be used as a backdoor to give access to government agencies.