RSA-4096 Multi-Party Encryption for Enterprise Data Sharing
Research Source
Symmetric encryption (AES-256-GCM) uses a single key for encryption and decryption. In multi-party workflows — legal discovery, regulatory submissions, audit reviews — sharing the symmetric key with one party shares it with all. There is no way to grant different access levels to different parties. RSA-4096 asymmetric encryption solves this by using public/private key pairs — different parties can hold different keys.
Executive Summary
Symmetric encryption shares one key with everyone. In legal, audit, and regulatory workflows, different parties need different access levels to the same anonymized data . Symmetric encryption cannot provide this.
cloak.business implements RSA-4096 asymmetric encryption (hybrid: RSA-4096 + AES-256-GCM). Each party generates a key pair. Data encrypted with a party's public key can only be decrypted with their private key. Different entities in the same document can be encrypted for different parties.
The Problem: One Key Fits All is Not Enterprise-Grade
Enterprise data sharing involves multiple parties with different authorization levels. In eDiscovery, outside counsel needs full PII access, opposing counsel gets redacted versions, and the court receives a third view. In regulatory submissions, the DPA sees identified data, while public filings show anonymized data. In audit workflows, auditors need specific PII categories while others remain hidden. Symmetric encryption cannot differentiate — anyone with the key sees everything.
Irreducible truth: Multi-party access control requires asymmetric encryption. Symmetric encryption provides all-or-nothing access — either you have the key and see everything, or you don't and see nothing. There is no middle ground.
The Solution: How cloak.business Addresses This
RSA-4096 Key Pair Management
cloak.business provides an API for RSA-4096 key pair generation and management. Each authorized party generates a key pair via the API or SDK. Public keys are shared; private keys remain with the party. The API supports key creation, retrieval, rotation, and revocation.
Hybrid Encryption (RSA-4096 + AES-256-GCM)
For performance, cloak.business uses hybrid encryption: each entity value is encrypted with AES-256-GCM (fast), and the AES key is encrypted with RSA-4096 (secure key exchange). The output (~730 chars per entity) contains both the encrypted value and the encrypted AES key. Only the private key holder can decrypt.
Per-Entity Recipient Control
Different entity types in the same document can be encrypted for different recipients. Names encrypted for counsel (their public key), financial data encrypted for the auditor (their public key), addresses encrypted for the regulator (their public key). Each recipient decrypts only their assigned entities.
SDK Integration
Both JavaScript (
npm install @cloak-business/sdk
) and Python (
pip install cloak-business
) SDKs support RSA-4096 key pair generation and hybrid encryption/decryption. The ClientCrypto module handles all cryptographic operations client-side.
Symmetric vs. Asymmetric Encryption for Multi-Party Workflows
| Feature | cloak.business RSA-4096 | Standard AES-256-GCM |
|---|---|---|
| Key model | Public/private key pairs | Single shared key |
| Multi-party access | Different keys per party | Same key for everyone |
| Per-entity control | Yes — different recipients per entity type | No — all-or-nothing |
| Key sharing risk | Public key only (safe to share) | Secret key must be shared |
| Output size | ~730 chars per entity | ~88 chars per entity |
| Use case | Legal, audit, regulatory | Internal workflows |
Compliance Mapping
This feature directly supports GDPR Article 5(1)(f) (confidentiality — cryptographic access control), eDiscovery privilege requirements (FRCP Rule 26(b)(5)), and regulatory submission workflows where different authorities require different access levels.
cloak.business's GDPR, HIPAA, PCI-DSS, ISO 27001, SOC 2 compliance coverage, combined with Customer-selected hosting, provides documented technical measures organizations can reference in their compliance documentation.
Product Specifications
| Specification | Value |
|---|---|
| Entity Types | 320+ |
| Detection | 3-layer hybrid: Presidio + NLP + Stance classification |
| Test Coverage | 100% (419/419 tests) |
| Languages | 48 |
| Anonymization Methods | Replace, Redact, Mask, Hash, Encrypt (AES-256-GCM), RSA-4096 Asymmetric, Keep |
| Platforms | Web App, REST API, SDKs (JavaScript, Python), Cloud Storage Add-ins, Nextcloud |
| Pricing | Enterprise (custom) |
| Hosting | Customer-selected |
| Compliance | GDPR, HIPAA, PCI-DSS, ISO 27001, SOC 2 |
Limitations & Considerations
Integration Complexity: Organizations implementing this solution should expect comprehensive organizational assessment, compliance framework evaluation, and technical infrastructure review before deployment. Integration complexity varies based on existing systems, data workflows, and regulatory requirements.
Data Volume Scaling: Performance characteristics vary with data volume, document format diversity, and entity pattern complexity. Organizations processing high-volume document streams should conduct benchmark testing with representative samples to validate throughput and accuracy targets.
Team Training Requirements: Requires 2-4 weeks of onboarding for security and compliance teams to configure custom entity patterns, establish organizational policies, and integrate with existing workflows. Dedicated privacy engineering resources accelerate deployment.
Not for: Organizations without dedicated privacy engineering resources or regulatory compliance mandates may find simpler solutions more cost-effective. Best suited for teams with stringent data protection requirements (GDPR, HIPAA, CCPA).