Keychain
The Keychain lets you confidentially store dataset encryption keys and other secrets.
Among other features, this enables you to reuse datasets across data clean rooms without having to re-upload them to Decentriq.
How it works
The Keychain operates like a traditional password manager. It derives from your password an encryption key. This key is used to locally encrypt the secrets (e.g. dataset encryption keys) you want to store in the Keychain. The encrypted secrets are then stored on the Decentriq Platform. They are retrieved when needed and the same password-derived encryption key is used to decrypt them.
As Decentriq does not have access to your password, Decentriq can never access the secrets stored in the Keychain.
Activate the Keychain
To interact with the Decentriq Platform, your Keychain must be activated. You will be able to create a password as soon as you sign in.
If you lose your password, you will have to reset it and lose access to all previously stored secrets.
For convenience, a key derived from your Keychain password is cached in your browsing session such that you don't need to type it every time it's required.
In your consecutive accesses to the platform, you just need to enter your password when prompted.
If you forgot your password, you can reset it. However, all your stored keys will be deleted from your Keychain.
Datasets will remain provisioned to all data clean rooms. No data will be lost.
If you want to change your password, you can do it at any time by accessing the Keychain page from the sidebar and clicking Change Keychain password in the options menu.
Store a dataset encryption key
As a Data Owner, start by clicking the Provision dataset button in a specific data node within a Data Clean Room:
Click on Import from my computer, as this is a new dataset:
Select the file from your computer. In this example, our file is called Bank Dataset.csv
Notice there is an option selected by default to store the encryption key in your Keychain.
Follow the steps in the screen.
In the last step, an encryption key will be generated locally to encrypt your dataset before it gets uploaded. Once the process is completed, this encryption key is going to be stored in your Keychain.
Browse the Keychain
To access the Keychain, you can click on the sidebar in the Decentriq UI.
Here you can find all your stored keys:
- Notice that the key used to encrypt your dataset is now stored in your Keychain.
- You can check the dataset details by clicking the view icon on the right side.
- Deleting the encryption key from your Keychain will not delete the dataset itself.
Reprovision a dataset to another Data Clean Room
As a Data Owner, if already provisioned a dataset from your computer and have its encryption key stored in your Keychain, you can provision this same dataset to another Data Clean Room without having to upload it again. To do so, start the process by clicking the Provision dataset button in a specific data node of a Data Clean Room.
Click on Choose from my stored datasets, as this is a dataset already stored in the Decentriq platform:
Now you can immediately select the desired dataset. In this example, our file is the same Bank Dataset.csv
The next will retrieve from your Keychain the encryption key for the selected dataset and provision it to the other Data Clean Room.
From the Data Clean Room or from the Datasets page, you can see the details of the dataset:
- Notice that it is now provisioned to 2 DCRs
- You can deprovision it from any DCR directly from this screen by clicking the “unlink” icon on the right side. The dataset will not be deleted, regardless of being provisioned to a DCR or not.
- To deprovision a dataset from all DCRs and delete it from the Decentriq platform, click the
Delete datasetbutton.
Python SDK integration
The same Decentriq UI flow can be achieved programmatically, using the Decentriq Python SDK.
To learn more, please follow the Keychain Cookbook.