Cryptify makes secure, privacy-friendly online file sharing easy

Cryptify and IRMA

"As a lecturer at Radboud University and researcher at Privacy by Design, my focuses include making cryptographic applications accessible and convenient, and promoting their adoption," says Hanna. "The Cryptify platform was a spin-off of our e-mail encryption initiative. Refining mail encryption and making it genuinely user-friendly is a long-haul project, so we additionally wanted a way of making encryption available to the public in the short term. That led to us getting involved with something that many people do on a daily basis: sharing files over the internet." The aim was to develop a convenient and secure platform for encrypted file sharing, where the privacy of senders and recipients are protected. And that was realised by utilising the IRMA identity platform. Arjen: "Privacy by Design approached us about developing the backend for Cryptify, and we immediately liked the sound of the idea. I first came across IRMA while studying at Radboud University. And, here at Tweede golf, where I now work, we have several projects running where IRMA has an important role." "The platform's frontend was created by a specialist developer at Privacy by Design," continues Hanna. "We then asked Tweede golf to build the backend, which they did using the Rust open-source programming language. Everything went quickly, because of Tweede golf's familiarity with IRMA and involvement in privacy, encryption and security." Arjen echoes that view, adding, "Collaboration between the frontend and backend teams was very smooth. As a result, the backend only took a few weeks to build."

Secure file encryption and sharing

Cryptify remains under active development, but a prototype of the platform is already available for use. At cryptify.nl, you can upload files of up to 2GB. Next, you give your own e-mail address and the recipient's before clicking 'Encrypt and send'. The files are then encrypted, and a download link is mailed to the recipient. In order to download and decrypt the files, the recipient has to scan a QR code using the IRMA app. The app discloses only the user's e-mail address to the platform, as evidence that the user is the intended recipient. "The neat thing about Cryptify is that files are encrypted by the sender's browser, before they go to the platform's server," explains Arjen. "So the file contents can never be accessed by anyone unauthorised, even if they manage to hack the server." Arjen adds that Cryptify partners with hosting firm ProcoliX to enable the secure processing of platform users' data. "It's worth emphasising that we process only the data that's strictly necessary for the Cryptify service to work. ProcoliX temporarily saves the encrypted files uploaded by senders, but they don't know anything about the contents of the files. That's because the keys needed for decryption are retained by Privacy by Design. Separating the files from the keys means that neither organisation can independently access any file content. In other words, the set-up assures users' security and privacy."

Support from SIDN Fund

"SIDN Fund's financial support enabled us to start the development of Cryptify," says Hanna. "The Fund therefore played a major part in our story. And, of course, IRMA and SIDN collaborate. We also tapped into the SIDN, SIDN Fund and IRMA communities to help us test the Cryptify prototype and gather feedback. We intend to use the input to make Cryptify as secure and user-friendly as possible." Mieke van Heesewijk, Deputy Director at SIDN Fund, explains the Fund's thinking. "Cryptify serves as an excellent example of how IRMA can be used. Because the tool's user-centred design has been thought through so carefully, we're expecting it to prove very popular. And that will help to drive the adoption of IRMA."

IRMA: the passport to the internet

Hanna takes up the narrative: "Although Cryptify is already available for use, there are various aspects that we want to refine and improve. One important item on the 'to do' list is sender authentication. At the moment, recipients have to identify themselves using the IRMA app, but senders don't. The idea is therefore to add IRMA-based sender authentication, so the recipient can be sure who sent the file. We'd also like to add a number of optional and user-configurable features to the platform. For example, a sender currently has to identify the correct recipient using their e-mail address. However, it would be useful to local authorities if they could say who a file is for by specifying the recipient's Public Service Number." According to Arjen, "The challenge with the features is enabling them without making Cryptify more complicated for the user. You want users to have choice, but you also want the application to remain understandable and easy to use." "In the future, I'd love to see IRMA become the passport to the internet," confirms Hanna. "It would be great if identifying yourself with IRMA was an everyday thing – what you do when you call the doctor, send files, join a virtual meeting or digitally sign a document." Arjen is positive about that vision of the future, but adds, "Personally, I'm attracted by the technical challenge of making an application like Cryptify as efficient, convenient and trustworthy as possible. My ultimate goal is that the most secure, privacy-friendly way of communicating over the internet is also the easiest to use." Visit www.cryptify.nl to try out the platform's current version for sending encrypted files. More information about the IRMA app is available at https://irma.app/.