Encryption
Arweave has no built-in encryption. All encryption and decryption must be handled client-side before uploading data to the network. Arweave is completely data-agnostic - it stores whatever data you provide without any knowledge of whether it's encrypted or not.
How Encryption Works on Arweave
Critical Points:
- No native encryption: Arweave provides no encryption services whatsoever
- Client-side only: You must encrypt data before uploading
- Data-agnostic storage: Arweave stores any data type, including encrypted data
- Your responsibility: You handle all encryption, key management, and decryption
- Permanent security: Once encrypted and stored, data remains secure forever
Encryption Options
1. Manual Client-Side Encryption
Encrypt your data before uploading with Turbo:
import CryptoJS from "crypto-js";
// Encrypt sensitive data
const data = "Sensitive information";
const secretKey = "your-secret-key";
const encryptedData = CryptoJS.AES.encrypt(data, secretKey).toString();
// Upload encrypted data
const result = await turbo.upload({
data: encryptedData,
dataItemOpts: {
tags: [
{ name: "Content-Type", value: "application/octet-stream" },
{ name: "Encrypted", value: "true" },
{ name: "Cipher", value: "AES-256-GCM" },
{ name: "Cipher-IV", value: "YWJjZGVmZ2hpams=" }, // 12 byte initialization vector as Base64
],
},
});Encryption Standards
Encryption Methods
- AES-256-GCM: Authenticated encryption (recommended)
- AES-256-CTR: Stream cipher for large files
- Any encryption method: Arweave supports any encryption you choose (must be indicated in
Ciphertag for ArFS compliance)
Required Tags
When uploading encrypted data, include these tags:
{
name: "Content-Type",
value: "application/octet-stream" // Required for encrypted data
},
{
name: "Cipher",
value: "AES-256-GCM" // Specify encryption method
},
{
name: "Cipher-IV",
value: "base64-encoded-iv" // Initialization vector
}ArFS Protocol (Optional Standardization)
The Arweave File System (ArFS) protocol provides optional standardization for encrypted storage:
- Private Drives: Encrypt entire file systems
- File-level encryption: Each file has its own encryption key
- Selective sharing: Share individual files without exposing the entire drive
- Key derivation: Uses HKDF-SHA256 with wallet signatures
- Completely optional: You can use any encryption method you prefer
ArDrive Web App: Data uploaded through the ArDrive web app to Private Drives is encrypted for you using the standards set in the ArFS protocol. ArDrive is simply a web application that implements ArFS - there is no separate "ArDrive Encryption Service."
ArFS Privacy: To learn more about ArFS encryption schema, key derivation, and private drive management, see our detailed ArFS Privacy & Encryption documentation.
Getting Started
For most users, the ArDrive web app provides the easiest way to encrypt and store data using ArFS standards:
Create a private drive in the ArDrive web app
Set a strong password for your drive
Upload files - they're automatically encrypted using ArFS
Access files using your password and wallet
For developers who need custom encryption:
Choose an encryption library (Crypto-JS, Web Crypto API)
Encrypt your data before uploading
Add proper tags to indicate encryption
Store keys securely for decryption
Security Considerations
Important: Never store encryption keys in your code or public repositories. Use secure key management practices and consider hardware security modules for production applications.
Best Practices:
- Use strong, randomly generated keys
- Implement proper key rotation
- Store keys securely (not in code)
- Use authenticated encryption (AES-GCM)
- Validate data integrity after decryption
Next Steps
Try ArDrive Web App
Use the ArDrive web app for easy encrypted file storage using ArFS.
Learn About ArFS
Explore the Arweave File System protocol for structured storage.
Get Turbo Credits
Purchase credits for programmatic uploads.
How is this guide?