Cross-Domain Data Sharing
Overview
Sovra enables secure data sharing between federated organizations using shared workspaces.
Concepts
Workspace
A shared cryptographic domain where multiple organizations can encrypt/decrypt data.
Components:
- Multiple participating organizations
- Single Data Encryption Key (DEK)
- Distributed access policies
- Cross-organization audit trail
Key Exchange
DEK is generated by workspace initiator and wrapped for each participant.
Use Cases
Research Collaboration
Universities sharing patient data for cancer research:
sovra workspace create \
--name cancer-research \
--participants eth-zurich,epfl,unige \
--classification CONFIDENTIAL \
--purpose "Oncology research collaboration"
Government Intelligence
Agencies sharing classified intelligence:
sovra workspace create \
--name defense-intel \
--participants mil-org-1,intel-org-2 \
--classification SECRET \
--mode air-gap
Supply Chain
Manufacturers and suppliers sharing logistics data:
sovra workspace create \
--name supplier-network \
--participants manufacturer,supplier-1,supplier-2 \
--policies supply-chain-policy.rego
Creating Workspaces
Step 1: Initialize Federation
# Both organizations must be federated first
sovra federation status partner-org
Step 2: Create Workspace
Initiator (Org A):
sovra workspace create \
--name joint-project \
--participants org-a,org-b,org-c \
--classification CONFIDENTIAL \
--crk-sign org-a-crk.json
What happens:
- System generates DEK (Data Encryption Key)
- Requests public keys from Org B and C
- Wraps DEK with each participant’s public key
- Sends wrapped keys to participants
- Participants acknowledge receipt
Step 3: Verify Workspace
All participants:
sovra workspace list
sovra workspace info joint-project
Using Workspaces
Encrypt Data
Any participant can encrypt:
# Encrypt file
sovra workspace encrypt \
--workspace joint-project \
--input sensitive-data.csv \
--output encrypted.dat
# Encrypt stdin
echo "secret message" | sovra workspace encrypt \
--workspace joint-project \
--output message.enc
Decrypt Data
Any participant can decrypt:
# Decrypt file
sovra workspace decrypt \
--workspace joint-project \
--input encrypted.dat \
--output decrypted.csv
# Decrypt to stdout
sovra workspace decrypt \
--workspace joint-project \
--input message.enc
Share Encrypted Data
# Org A encrypts
echo "shared data" | sovra workspace encrypt \
--workspace joint-project > data.enc
# Send data.enc to Org B (email, S3, etc.)
# Org B decrypts
sovra workspace decrypt \
--workspace joint-project \
--input data.enc
Access Control
Policy Example
# policy/joint-project.rego
package workspace.joint_project
import future.keywords.if
# Default deny
default allow = false
# Only researchers can decrypt
allow if {
input.role == "researcher"
input.purpose == "analysis"
input.time >= workspace.start_time
input.time <= workspace.end_time
}
# Org admins can always access
allow if {
input.role == "admin"
}
# Log all denials
deny_reason := "unauthorized role" if {
not input.role in ["researcher", "admin"]
}
Apply Policy
sovra policy create \
--workspace joint-project \
--policy policy/joint-project.rego \
--crk-sign org-a-crk.json
Audit Trail
View Workspace Audit Log
# Last 100 operations
sovra audit query \
--workspace joint-project \
--limit 100
# Filter by organization
sovra audit query \
--workspace joint-project \
--org org-b
# Filter by operation
sovra audit query \
--workspace joint-project \
--operation decrypt
Audit Event Example
{
"workspace": "joint-project",
"operation": "decrypt",
"org": "org-b",
"user": "researcher@org-b.edu",
"timestamp": "2026-01-29T14:30:00Z",
"purpose": "data analysis",
"result": "success",
"data_hash": "sha256:abc123..."
}
Important: ALL participants see ALL audit events.
GDPR Compliance
Purpose Limitation
# Specify purpose when creating workspace
sovra workspace create \
--name patient-data \
--purpose "COVID-19 treatment research" \
...
Policies enforce purpose:
allow if {
input.purpose == workspace.purpose
}
Data Minimization
Only workspace participants can access data:
# Non-participant cannot decrypt
sovra workspace decrypt \
--workspace joint-project \
--input data.enc
Error: unauthorized - not a workspace participant
Consent Management
All participants must acknowledge:
sovra workspace join \
--workspace joint-project \
--consent-sign org-b-crk.json
Right to Erasure
Any participant can revoke access:
sovra workspace leave \
--workspace joint-project \
--crk-sign org-b-crk.json
All other participants notified.
Audit Trail
Complete operation history:
# Export for compliance
sovra audit export \
--workspace joint-project \
--format json \
--output audit-2026-Q1.json
Air-Gap Support
For SECRET classification workloads in physically isolated networks.
Public Key Exchange
Before cross-org workspace sharing, each organization must exchange their RSA public key alongside federation certificates. This is done during federation setup via federation import-cert --public-key-file.
Creating Air-Gap Workspace
sovra workspace create \
--name classified-intel \
--participants mil-1,intel-2 \
--classification SECRET \
--mode air-gap
Export and Transfer
When exporting, the DEK is unwrapped from the caller’s KEK, then re-encrypted with each participant’s RSA public key using RSA-OAEP (SHA-256). The exported bundle contains an ExportDEK map with one entry per participant org.
# Export workspace bundle (DEK encrypted per-participant)
sovra workspace export ws-123 --output workspace-bundle.json
# Transfer via USB courier
cp workspace-bundle.json /media/usb-secret/
Import on Receiving Side
On import, the receiving org decrypts their ExportDEK entry using their RSA private key (stored in Vault KV), then re-wraps the DEK with their local KEK. The importing org is automatically added to ParticipantOrgs.
sovra workspace import \
--input /media/usb-secret/workspace-bundle.json
Synchronization
# Export operations (air-gap machine)
sovra workspace export-ops \
--workspace classified-intel \
--output /media/usb/ops-export/
# Import operations (connected machine)
sovra workspace import-ops \
--input /media/usb/ops-export/
Workspace Lifecycle
Expiration
# Create with expiration
sovra workspace create \
--name temp-project \
--expires "2026-12-31" \
...
# Extend expiration
sovra workspace extend \
--workspace temp-project \
--expires "2027-12-31" \
--crk-sign org-a-crk.json
Archival
# Archive workspace (read-only)
sovra workspace archive \
--workspace completed-project \
--crk-sign org-a-crk.json
Deletion
# Requires all participants to sign
sovra workspace delete \
--workspace old-project \
--crk-sign org-a-crk.json
# Other participants must also sign
# (collect signatures from all participants)
Advanced Features
Key Rotation
# Rotate DEK (re-wrap for all participants)
sovra workspace rotate-key \
--workspace joint-project \
--crk-sign org-a-crk.json
Add Participant
# Existing participants vote
sovra workspace add-participant \
--workspace joint-project \
--new-participant org-d \
--crk-sign org-a-crk.json
# Requires majority approval
Remove Participant
sovra workspace remove-participant \
--workspace joint-project \
--participant org-c \
--crk-sign org-a-crk.json
Troubleshooting
Key Exchange Fails
# Verify federation
sovra federation status partner-org
# Test connectivity
curl -k https://sovra-partner.example.org/health
# Re-request keys
sovra workspace refresh-keys \
--workspace joint-project
Decryption Fails
# Verify workspace membership
sovra workspace participants joint-project
# Check policy
sovra policy get \
--workspace joint-project
# View audit for errors
sovra audit query \
--workspace joint-project \
--result error
Security Considerations
- DEK Security: DEK never leaves Vault unencrypted in connected mode. In air-gap mode, the DEK is transiently unwrapped only to re-encrypt with RSA-OAEP for each recipient
- Transport: All key exchange via mTLS (connected) or encrypted USB bundles (air-gap)
- Storage: Wrapped keys stored encrypted. Air-gap bundles use per-org RSA-OAEP encryption
- Audit: All export and import operations logged immutably
- Revocation: Instant across all participants
- Air-Gap DEK Re-Wrapping: RSA-OAEP with SHA-256 ensures each org can only decrypt their own DEK entry in the export bundle