Skip to main content

What is CDR?

Confidential Data Rails (CDR) is Story’s application layer for threshold-encrypted data on Story L1. Under the hood, it uses the validator network’s DKG-generated public key so you can encrypt secrets such that no single party ever holds the complete decryption key. Data can only be decrypted when a threshold number of validators collectively provide partial decryptions, with access control enforced on-chain via smart contracts. The validator-side DKG and partial decryption flows run inside story-kernel TEEs (Intel SGX enclaves). CDR enables powerful use cases like:
  • Secret sharing - encrypt and share secrets that only specific wallets can decrypt
  • Data marketplaces - sell access to encrypted data with on-chain payment enforcement
  • IP-gated content - tie encrypted data to IP Assets and require license tokens to decrypt

How It Works

CDR revolves around vaults. Each vault stores encrypted data and has two configurable access control conditions:
  • Write Condition - determines who can store encrypted data in the vault
  • Read Condition - determines who can request decryption of the vault’s data
When a condition address matches the caller’s address (e.g., your wallet is set as the read condition), CDR skips the condition check entirely. This is the simplest access control pattern.

Encryption Flow

  1. Allocate a vault on-chain with your desired read/write conditions
  2. Fetch the DKG global public key from the validator network
  3. Encrypt your data locally using TDH2 threshold encryption
  4. Write the encrypted ciphertext to the vault on-chain

Decryption Flow

  1. Generate an ephemeral keypair (used only for this decryption session)
  2. Submit a read request on-chain (validated against the read condition)
  3. Collect partial decryptions from validators (need a threshold number)
  4. Combine the partials client-side to recover the original data
Plaintext encryption and final decryption happen client-side. Validators only produce TEE-confined partial decryptions, and neither the CDR contract nor validators ever see your plaintext data.

Access Control Patterns

Wallet Address (Simple)

Set your wallet address as the read/write condition. Only you can encrypt/decrypt. 
await uploader.allocate({
  updatable: false,
  writeConditionAddr: userAddress, // only you can write
  readConditionAddr: userAddress, // only you can read
  writeConditionData: "0x",
  readConditionData: "0x",
});

License Token (IP-Gated)

Register the vault as an IP Asset and require a license token to decrypt. The creator writes data, and anyone holding a license token can read it. 
// Create vault with IP Asset registration
const { tokenId, uuid, ipId } = await cdrVaultNFT.createVault(licenseTermsId);

// Mint license tokens to grant read access
await cdrVaultNFT.mintLicenseTokens(tokenId, amount, receiverAddress);

Custom Condition Contracts

Deploy your own condition contract implementing checkReadCondition and checkWriteCondition for advanced access control like:
  • Fixed fee - pay a one-time fee to unlock read access
  • Time-based - access only during a specific time window
  • Marketplace - listing owner controls writes, purchasers can read

Next Steps

Setup

Install dependencies and initialize the CDR client.

Encrypt & Decrypt

Encrypt a secret and decrypt it with threshold decryption.

IP Asset Vaults

Create IP-gated vaults that require license tokens to decrypt.

SDK Reference

Full API reference for every CDR SDK method.