I was wondering if relying on caller-based access control is sufficient to provide privacy or data security for the user?
public shared ({ caller }) query func getData() {
if caller == data.owner or data.approved_users.contains(caller) // OK
// callers who are not the owner nor is not one of the approved callers
// wont be able to see the data
if it’s not overkilled, when does encryption/decryption will ever be needed?
is the upcoming vetKeys considered an encryption/decryption tool?
aside from the vetKeys, what are some other privacy tools that can be used (motoko preferably)?
The answer here depends somewhat on the threat model you are operating on.
From the perspective of “outside the IC”, what you are proposing could be sufficient; assuming the IC itself does not become compromised, the Internet Identity of the caller cannot be forged, and this allows for performing access control.
However, you should be aware that all canister state/data is visible to the operators of the nodes that form the subnet (or anyone who is able to compromise such a node). In the future we may adopt technologies like AMD’s SEV which would allow hiding canister state from the node operators, but that is not currently in use. So encryption could still be a requirement for you - if the data you are storing is encrypted, then even a node operator cannot examine it. However this can be tricky to do correctly/safely. This is because if you decrypted the data within the canister itself and returned the plaintext to the caller, this would again be visible to any malicious nodes within the subnet (plus also the boundary node the user is accessing the IC through). The data would instead have to be encrypted by the creator before upload, and then decrypted by the recipient locally on their own device.
For a single user scenario, that’s relatively easy; generate and store a random key locally (either in local storage, or derived from a password), encrypt the document and upload it. Later download the ciphertext and decrypt it. However for multiuser the situation becomes tricky, especially if you need to change the set of allowed users over time.
vetKeys is not in and of itself an encryption tool, instead it is a distributed key management tool. vetKeys basically solves the problem of “how do I allow some set of users/principals to have access to a secret key that is otherwise unknown to any other party - including the canister or the IC itself”, which is more or less exactly what you’d want.