A New Paradigm for Embedded Private Storage: Integration Practices of DMAIL and Storacha

Author: Dhruv Varshney (Devrel at Storacha)

1. Core Pain Points and Innovative Solutions

In the ecosystem of decentralized applications, “secure storage” and “user experience” are often difficult to balance. As an application aimed at decentralized users, DMAIL urgently needs to provide wallet-native private storage services, but faces two major challenges: first, users are reluctant to manage complex encryption keys, and second, traditional enterprise storage integration processes are cumbersome and can disrupt the existing product experience.

To address this pain point, Storacha proposed a groundbreaking iframe integration model: encapsulating military-grade encrypted storage functionality as an embeddable iframe component, which can be integrated into any single sign-on (SSO) system in about 30 minutes. DMAIL became the first case of this model, and its universality is strong, allowing any application to quickly reuse it through “copy and paste”.

2. Core Features: Making Encrypted Storage “Zero Threshold”

The private storage solution built by Storacha for DMAIL focuses on achieving a balance between “enterprise-level security” and “lightweight usage”, specifically featuring five major characteristics:

Feature Description
End-to-End Encryption Files are encrypted before leaving the user’s device, ensuring that data transmission and storage are encrypted throughout.
Zero-Knowledge Architecture Even Storacha itself cannot view users’ plaintext data, fundamentally ensuring data privacy.
Seamless Native Integration Through iframe embedding, the functionality is fully integrated into the DMAIL workspace, requiring no adaptation to new operational processes by users.
Lightweight Compliance Meets enterprise-level data compliance requirements while eliminating the complex configurations and operational costs of traditional storage.
Flexible Permission Management Supports instant file sharing, precise permission granting, and the ability to revoke access at any time, making operations efficient and convenient.

The technical core supporting these features consists of three parts:

  1. UCAN (User Controlled Authorization Network): Replaces traditional centralized authorization servers, achieving identity verification and permission management through “decentralized permission slips”.
  2. Client-Side Encryption: Utilizes the AES-256-CTR algorithm, balancing encryption strength and processing efficiency, supporting “stream encryption” for large files.
  3. Iframe Integration Layer: Achieves seamless connection between storage functionality and application native features through standardized iframe interfaces.

3. Actual Operation Process: Full Link from Verification to Usage

1. SSO Identity Verification Completed in 3 Seconds

In the DMAIL workspace, users can see various functional components such as encryption analysis and portfolio tracking. When clicking on the Storacha storage component, the Storacha console will be embedded in the page as an iframe, with identity verification quickly completed through the “SSO Bridge”:

  • Step 1: Initiate Verification: DMAIL sends user credentials to the Storacha iframe via postMessage, including email, user ID, session token, etc. The code example is as follows:

// DMAIL sends authentication data to Storacha parent.postMessage({ type: ‘AUTH_DATA’, provider: ‘dmail’, mail: user.email, userId: user.id, sessionToken: user.token }, ‘https://console.storacha.network’)

  • Step 2: Verification and Authorization: After Storacha verifies the validity of the SSO token, it generates a UCAN authorization credential, confirming user permissions. The entire process takes about 3 seconds, and users do not need to log in again.

// Storacha generates UCAN authorization const userDID = await validatesS0Token(ssoData) const delegation = await createSpaceDelegation({ issuer: serviceDID, audience: userDID, capabilities: [‘space/*’] })

2. “Private Space”: Encrypted Isolated Storage Unit

After successful identity verification, users can create a dedicated “private space”—essentially an encrypted folder, with each space equipped with an independent RSA key pair to achieve encryption isolation of different space data, further enhancing data security.

4. Encryption Architecture: Full Process Security from Upload to Download

Storacha adopts a “client-side encryption + key management” dual-layer architecture to ensure the security of files throughout their lifecycle, with specific processes divided into upload and download:

1. Upload Process: Local Encryption, Secure Key Management

  1. The user drags files into the “private space”, triggering the upload;
  2. The browser automatically generates a 256-bit AES symmetric key;
  3. Files are “stream encrypted” using the AES-256-CTR algorithm (no need to load the entire file into memory, supporting large files);
  4. The AES key is sent to Storacha’s UCAN-KMS (Key Management Service) server;
  5. After UCAN-KMS verifies user permissions, it encrypts the AES key;
  6. The encrypted file and encrypted key metadata are stored in IPFS (InterPlanetary File System).

2. Download Process: Permission Verification, Local Decryption

  1. The user (or authorized user) initiates a download request;
  2. Storacha verifies the user’s UCAN authorization credential to confirm access permissions;
  3. UCAN-KMS decrypts the AES key and sends it to the user’s browser;
  4. The browser uses the AES key to locally decrypt the file, allowing the user to obtain plaintext data.

Through this process, users can enjoy a convenient experience similar to Dropbox while receiving military-grade encryption protection, mathematically ensuring that only the user can access plaintext data.

5. UCAN: The Core of Decentralized Permission Management

UCAN (User Controlled Authorization Network) is the “permission brain” of the entire solution, freeing itself from reliance on centralized servers and achieving flexible and secure permission management through “decentralized permission slips”. Its core capabilities include:

1. Fine-Grained Permission Granting

Users can assign permissions precisely based on scenarios, for example: Alice can create a UCAN allowing “Bob to decrypt files in the ‘legal documents’ space for 30 days, but not upload”, with the code example as follows:

<span><span><span>// Alice creates permission authorization for Bob const delegation = await createDelegation({ issuer: alice.did, // Authorizer identity audience: bob.did, // Authorized identity capabilities: ['space/content/decrypt'], // Permission: only decrypt with: 'did:key:alice-legal-docs-space', // Authorization scope: legal documents space expiration: Math.floor(Date.now() / 1000) + (30 * 24 * 60 * 60) // Valid for 30 days }) // Bob uses authorization to access the file const file = await decryptFile(cid, { proofs: [delegation] })</span></span></span>

2. Instant Permission Revocation

Users can mark issued UCANs as “revoked” at any time in the system, immediately terminating access for the authorized party without waiting for the permission to expire, effectively mitigating the risk of data leakage.

3. Auditable Delegation Chain

Supports “secondary delegation of permissions”: Bob can delegate part of the permissions (such as “viewing a certain contract”) within the scope granted by Alice to Carol, and the entire delegation process forms a traceable audit chain, facilitating compliance review and permission tracing.

6. Underlying Architecture: Dual Assurance of Security and Flexibility

Storacha’s architecture design revolves around “user data sovereignty” and “development flexibility”, with key components and features as follows:

1. UCAN-KMS Server: The “Neutral Hub” for Permissions and Keys

As the core connecting UCAN authorization and key management, the UCAN-KMS server is responsible for only two tasks: verifying the validity of UCAN tokens and executing key encryption/decryption based on permissions, without ever touching user plaintext data or storing UCAN tokens, fundamentally eliminating the risk of data leakage.

2. Strong Isolation and Auditable Design

  • Space Isolation: Each “private space” has an independent RSA key pair, ensuring encryption isolation of different space data without interference;
  • Operation Auditing: All operations such as encryption, decryption, and permission changes generate logs, meeting enterprise compliance audit requirements;
  • Permission Enforcement: Any operation (such as file upload or download) must provide a valid UCAN credential; without permission, the operation cannot be executed.

3. Modular and Provider Independence

Through the CryptoAdapter interface, it achieves “decoupling from key management service providers”: DMAIL can switch between different KMS providers (even Lit protocol) as needed without modifying client code, greatly enhancing development flexibility.

7. Universal Integration: Private Storage Access in 1 Hour

The iframe integration model of Storacha is applicable to all SSO providers, whether productivity tools, messaging platforms, or collaboration applications, and can be completed in about 1 hour. Storacha also provides a testing environment (<span><span>console.storacha.network/test-iframe</span></span>), facilitating quick debugging for developers.

Three-Step Integration Process

Step 1: Embed the Storacha Console as an iframe

By creating an iframe and embedding it into the application page, the example is as follows:

const iframe = document.createElement(‘iframe’) iframe.src = ‘https://console.storacha.network/iframe?sso=your-provider’ // Replace with your SSO identifier iframe.style.width = ‘400px’ iframe.style.height = ‘600px’ iframe.title = ‘Storacha Console’ iframe.referrerPolicy = ‘origin’ // Configure iframe permissions to ensure functionality iframe.sandbox = ‘allow-scripts allow-same-origin allow-forms allow-popups allow-top-navigation-by-user-activation allow-downloads’ iframe.allow = ‘payment’ document.body.appendChild(iframe

Step 2: Pass Authentication Data via postMessage

Listen for messages from the iframe, and when receiving the “console ready” signal, send user authentication data:

let communicationPort = null  // Listen for messages from the Storacha iframe window.addEventListener('message', (event) =&gt; {   if (event.origin !== 'https://console.storacha.network') return // Validate message source      if (event.data.type === 'CONSOLE_READY') {     if (event.ports &amp;&amp; event.ports.length &gt; 0) {       communicationPort = event.ports[0]       communicationPort.onmessage = handlePortMessage // Bind message handling function     }   } })  // Handle login request, send authentication data function handlePortMessage(event) {   const { data } = event   if (data.type === 'LOGIN_REQUEST') {     const authData = {       type: 'AUTH_DATA',       authProvider: 'your-provider',       externalUserId: 'user123', // Application internal user ID       externalSessionToken: 'session-jwt-token', // User session token       email: '[email protected]'     }     communicationPort.postMessage(authData)   } }

Step 3: Handle Callbacks and Status Feedback

Listen for the authentication status returned by Storacha (success/failure) and perform corresponding actions:

<span><span><span>function handlePortMessage(event) { const { data } = event switch (data.type) { case 'LOGIN_REQUEST': // Send authentication data (code as above) break case 'LOGIN_STATUS': console.log('Authentication status:', data.status) // e.g., "Verifying" break case 'LOGIN_COMPLETED': if (data.status === 'success') { handleAuthSuccess(data) // Success: Load user's "private space" } else { handleAuthError(data.error) // Failure: Prompt error (e.g., token expired) } break } }</span></span></span>

Integration Advantages: “Zero Encryption Threshold” for Developers

By adopting this model, application developers do not need to focus on the details of encryption technology—Storacha handles complex tasks such as key management, data encryption, and UCAN authorization throughout, allowing applications to simply complete the “pass user credentials” and “listen for callbacks” actions to provide users with enterprise-level private storage services.

8. Conclusion: Breakthrough from Case to Industry Paradigm

The integration of DMAIL and Storacha not only addresses the private storage needs of a single application but also creates a replicable industry paradigm, with its core value reflected in three aspects:

  1. Revolution in User Experience: Users gain a convenient storage experience with “native embedding”, while having absolute control over their data, allowing for precise permission management, instant revocation of authorizations, and no need to manage encryption keys;
  2. Disruption in Development Efficiency: Traditional encryption storage development, which takes months (involving stream encryption, key management, audit logs, etc.), is simplified to “an afternoon” of integration work through the iframe model;
  3. Universal Lightweight Solution: Any SSO provider can offer encrypted storage services without hiring cryptographers or building complex infrastructure, while meeting compliance requirements.

The essence of this model is to make “complex encryption technology invisible”, allowing both application developers and users to enjoy the highest level of data security at the lowest cost, providing a new approach to storage solutions for the decentralized application ecosystem.

Leave a Comment