IronCore Labs makes usable, searchable application-layer encryption that helps developers and security teams lock down their sensitive cloud and AI data without the downsides.
The IronCore SaaS Shield platform helps encrypt and manage data, regardless of data store, taking care of all of the difficult concerns of security, scalability, key orchestration, and smokin' fast performance. Together with Cloaked Search and Cloaked AI, it keeps that data usable, findable, and secure even from the servers and services that hold the data.
For SaaS apps, supports per-tenant encryption and key management with options for BYOK/HYOK, real-time audit trails direct to customers, and more. It can connect to all of the major KMSes with per tenant keys. And no sensitive data flows through IronCore, ever.
IronCore's Cloaked AI product uses property-preserving encryption that maintains the distance relationships between vectors while encrypting them, allowing organizations to perform nearest neighbor searches, clustering, and anomaly detection over encrypted AI data and to build models over encrypted embeddings that require a key to use.
The encryption technique is based on the paper, "Approximate Distance-Comparison-Preserving Symmetric Encryption" by Georg Fuchsbauer, Riddhi Ghosal, Nathan Hauke & Adam O'Neill, and utilizes the scale and perturb algorithm, which randomly adds noise and redistributes vectors while preserving relative distances. Read more about the security of AI embeddings.
- Application-layer encryption explained
- Security of AI embeddings explained
- Security Risks with RAG Architectures explained
- Customer Managed Keys (CMK/BYOK/HYOK) explained
- Crypto-agility and post-quantum explained
- View all
- 📺 Vector Encryption Mini Explainer - YouTube
- 📺 SaaS Shield Application-layer Encryption Demo - YouTube
- 📺 IronCore Labs Complete Product Suite Overview - YouTube
- 📺 DEF CON 32 - Attacks on GenAI data & using vector encryption to stop them - Patrick Walsh, Bob Wall - YouTube
- 📺 RMISC 2024 - Exploitable Weaknesses in Gen AI Workflows: From RAG to Riches - YouTube
- 📺 Post-Quantum Cryptography Explained - YouTube
- View all
We believe in transparency and we talk openly about our choice of algorithms and our implementations. Most of our source code is open source and we invite security and crypto researchers to check it out.
Note: the open source licenses are mostly AGPL so if you plan to use it in commercial or non-GPL software, you'll need an inexpensive commercial license.
Our client libraries are open source and can be found in our per-language tenant-security-client repos:
- tenant-security-client-go
- tenant-security-client-java
- tenant-security-client-nodejs
- tenant-security-client-php
We have a public demo application showing SaaS Shield with our S3 Proxy, Cloaked AI and Cloaked Search.
We're in the process of building out a single unified library that generates interfaces for various languages. It has most of the functionality of the tenant-security-clients and also contains all of the Cloaked AI vector encryption functionality.
That's all in our ironcore-alloy repo, which is written in Rust and is currently published to:
We have a public repo that lets anyone quickly get started using a docker container and test data: Try Cloaked Search.
We also have public benchmarks and published approaches to performance testing: Cloaked Search Perf.
The Data Control Platform (DCP) lets developers build access controls directly into their data, regardless of where it's stored. It is particularly good for end-to-end encryption use cases.
This platform uses a proxy re-encryption algorithm (we call it transform encryption in our docs) to encrypt to a public key, then delegate decryption rights to other public keys. DCP enables the ability to encrypt to a group key and have group administrator(s) add or remove members at any time, effectively granting and revoking access to data that's encrypted to the group's public key.
The details can be found in the ACM paper Cryptographically Enforced Orthogonal Access Control at Scale.
The key libraries are audited and we have extensive documentation.
- Command line tools
- ironhide -- command line tool for encrypting files to groups or users; can be used by anyone
- ironoxide-cli -- command line interface for IronOxide functions to create users, devices, and groups; used by developers and admins
- High-level crypto libraries (these use recrypt)
- ironoxide -- rust library for interacting with the proxy re-encryption service! Rust
- ironoxide-swift -- swift bindings for ironoxide for iOS
- ironoxide-swig-bindings -- bindings to ironoxide for
,
, and
- ironoxide-scala -- bindings to ironoxide for Scala
- ironnode -- node library for interacting with the proxy re-encryption service
- ironweb -- web browser library for interacting with the proxy re-encryption service
- Low-level crypto libraries
- recrypt-rs -- proxy re-encryption / transform cryptography library in rust (audited, constant time)
- gridiron -- constant time big number math library used by recrypt-rs
- recrypt -- proxy re-encryption / transform cryptography library in scala (audited, not constant time)
- recrypt-wasm-binding -- build recrypt-rs for use in browsers
- recrypt-node-binding -- build recrypt-rs for use in node
- phonetic-normalizer -- store latin-language words in pseudo-phonetic form
- futurejs -- promise-alternative library for asynchronous operations
- cats-scalatest -- Scalatest bindings for Cats
IronCore Lab's community is a great way to contribute knowledge, learn, and otherwise participate in bringing better data security and privacy to apps.
- Discord server -- Get help, ask quick questions, show off your work, and get to know other IronCore Labs users.
- Forums -- Post feature requests, report bugs, ask questions, and have in-depth discussions about privacy and security.
IronCore Labs is a pioneering force in data privacy with proven security for AI data, cloud data, and encrypted search.
Founded in 2015 and headquartered in Boulder, Colorado, the company focuses on making application-layer encryption a pattern that is adopted by everyone to improve the security of all of us.