CloudKit Web Services access to encrypted values

Question

The WWDC 2021 CloudKit session talked about the new encryptedValues field on CKRecord. It also indicated that CKAssets have already been end-to-end encrypted in previous releases. The documentation indicates that for encrypted values such as these:

CloudKit encrypts the fields’ values on-device before saving them to iCloud, and decrypts the values only after fetching them from the server. The encryption keys are available exclusively to the record’s owner and, if the user shares the record, that share’s participants.

For a client that is accessing CloudKit via the HTTP interface, the documentation indicates that assets have a downloadURL property which can be used to fetch the asset. Does this URL download the already-decrypted asset? Or does it need to be encrypted after downloading?

If the asset is already decrypted at the time it is downloaded, how can this work, since as I understand it the key should not even be available to Apple. If the asset is not decrypted at that point, is there documentation about how we need to decrypt it?

1.2k

Posted by

bjhomer

Reply

Add a Comment

Answer 1

Once the document has been downloaded, the url contains a special character "$ {f}" which must be replaced by any other value you want. In this case I use the recordName to replace this special character.

let downloadURL = ...
let fileName = recordName + ".jpg"
let urlString = downloadURL.replacingOccurrences(of: "${f}", with: fileName)

guard let url = URL(string: urlString) else {  return nil }

// Do what you want with url

Posted by

magiicMedia

Add a Comment

Answer 2

To add on to this topic, the Cloud Console shows Encrypted fields in clear text. Is there any clarification from Apple whether these encrypted fields are being decrypted using the user's key material in the web site or if there is some other issue in the iCloud Console?

Posted by

stokaace

Add a Comment

CloudKit Web Services access to encrypted values

Replies