December 07, 2023
9 min read

Product Update — 2023 Roundup

The Evervault Team

Our website and developer documentation got a new look

We kicked off the year with a fresh coat of paint on Evervault.com

Payments: UI Components for Collecting Cards

In February, we added two key features to Inputs, making collecting user cards much more flexible:

Localize your form by providing custom values for labels and placeholders. You can see how localization works and try it out yourself by watching this demo and using it on Replit.
Customize your form to prevent rendering unused fields. Not every transaction requires entering a CVV. To support this, a disableCVV boolean can now be passed to Inputs. When set to true it will prevent Inputs from rendering that field. The Supported Settings section of the Inputs docs has been updated to reflect these changes.

Made Encryptions in E3 4x faster

As part of a broader effort to improve the tail latency of requests to E3, the default elliptic curve used throughout the system was migrated in March from SECP256K1 (best known as the Bitcoin curve) to SECP256R1. This migration increased the throughput of individual encrypt operations by 4x.

Open-source Cages

In March, we also made the source code for our Cages product publicly available. This allows developers to view the code deployed alongside their process in an enclave. This is crucial for one of Cages' main features: cryptographic attestation. Developers can now verify that the official Cages runtime and their own process are running untampered within the enclave. You can access the source code for the Cages runtime and the associated CLI on GitHub. Check out our deep dive series on how we built Cages, starting with Building Enclaves Easily.

Supporting attestation by default

Developers can verify that the official Cage runtime and their own process are running untampered within the enclave. Throughout the year we released a series of features which made it easier for developers to leverage the security offered from attestation. Some highlights include:

We open sourced our Evervault Attestation Bindings project. This contains the logic used by each Evervault client SDK to attest its connection to a Cage. The project is written in rust but exposes bindings to Node, Python, Kotlin and Swift.
We introduced the ability to lock a Cage down to only be deployed using specific signing certs. While we require that every Cage image is signed ahead of deployment, introducing a lock lets teams scope down deployment access and makes it easier to attest connections using the public key’s checksum.
Within a deployed Cage, all requests sent to E3 to encrypt or decrypt data were updated to use a token provisioned through an attestation handshake. Before the Cage calls E3, it calls an internal Evervault service and provides it with an attestation document. That attestation document is validated, and its PCRs are checked against the expected values from the uploaded image. If the attestation fails, the Cage can’t encrypt or decrypt any data.
We released attestation with trusted certs, which makes it possible to invoke and attest your Cage from client devices (e.g. an end users’ Mobile device) without having to trust an Evervault CA. This lets you offer your users piece of mind that the service they’re interacting with is running the expected bundle, and is being hit directly from their device.

Use our developer guides to follow along with specific use cases

March also marked the launch of Evervault Guides, a new section of our documentation dedicated to providing instructions on building common use cases with Evervault across various tech stacks. Each guide includes a link to a Replit with runnable code and a GitHub repository that can be configured for easy following. Some notable highlights include:

Customer Spotlight

In April, we created a page to highlight the innovative ways our customers are utilizing Evervault. Check out how Humaans encrypts third-party API credentials or how Meili achieved PCI compliance in days.

Easily encrypt files with Relay

Relays have the ability to encrypt and decrypt files. To witness file encryption in action, refer to our guide on how to encrypt a file and upload it to S3.

If you're interested in seeing it in action, take a look at how Swan encrypts customer video files.

Decrypt API

Launching the Decrypt API gave Evervault customers the ability to perform one-time decryption of their previously encrypted data, allowing them to create entirely new workflows. The API has been integrated into all of our SDKs, making it effortless to begin. Furthermore, the Decrypt API is accessible as a standard REST API for platforms that currently lack SDK support. In addition to the flexibility provided by the Decrypt API, we have also introduced an Encrypt API that simplifies programmatic data encryption. Check out the docs to get started with the Decrypt API.

Our very own podcast

In July, our founder Shane started a podcast! Join the team as we "decrypt" data security and development across the industry. Each episode features guests from Vanta, Tines, Circle, and other security leaders. They discuss how teams handle sensitive customer data, address technical challenges, and navigate the ever-evolving industry trends.

End-to-end PCI Compliance

In August, we revamped our PCI Compliance solution to include our latest product features and extended compliance service. Using Evervault to accelerate PCI compliance allows you to collect and process cardholder data without the usual regulatory and compliance challenges. We follow a few simple steps to expedite time-to-compliance:

Initial consultation - We will collaborate with you to understand your architecture and provide recommendations on how to integrate Evervault, minimizing your compliance scope.
Technical integration - You will integrate Evervault using one of our architecture templates, and we will verify your integration for full compliance.
Auditor introduction - We will supply you with an audit-ready bundle of PCI DSS policies and procedures, along with our PCI DSS Attestation of Compliance (AoC). Additionally, we will introduce you to an auditor familiar with Evervault's architecture.

To learn more about our PCI Compliance solution, or to schedule a consultation with our team, simply respond to this email.

Payments: Card Reveal

Reveal allows you to display plaintext cardholder data to your end users without increasing your PCI Compliance scope. Encrypted cardholder data from Evervault can be securely passed to Reveal, which is a hosted secure iframe element. This workflow ensures that the plaintext cardholder data never touches your infrastructure, thereby minimizing your PCI compliance scope.

Reveal is fully customizable and can be easily updated to match your design system using a simple CSS configuration.

To get started, please refer to the Evervault Reveal docs at https://docs.evervault.com/products/inputs#reveal.

Client Side Tokens:

A couple months ago, we introduced Client Side Tokens. These are versatile and short-lived tokens that frontend applications can utilize to perform various actions, like running Functions or decrypting data. Client Side Tokens are restricted to specific payloads.

By default, a Client Side Token will live for 5 minutes into the future. The maximum time to live of the token is 10 minutes into the future. When using the REST API, the expiry field must be in epoch milliseconds. Take a look at our docs if you’re interested.

Data Policies: fine-grained access control for encrypted data

In November, we launched Data Policies, the newest feature in Evervault's core platform. Data Policies guarantee that when you encrypt sensitive data, that data can only be used for its intended purpose.

Data Policies are a set of conditions that you establish, which determine how and when data can be decrypted. These can be based on a multitude of parameters such as the type of data, its geographical location, a timestamp, or specific user permissions.

By incorporating this added functionality into Evervault's encrypted data workflows, the risk of data misuse is reduced, resulting in significantly hardened data security.

Read about the full release here

Deep dive into our year in review:

If you want to take a closer look, check out any of this year’s updates:

Lastly, thank you for all your customer feedback and requests driving our roadmap; we love hearing from you on how you’re using Evervault in your product. We look forward to building with your projects in mind next year.