Introducing ContentGrid Content Encryption: Secure Storage with Range Request Support

At ContentGrid, security and performance are at the core of our cloud service. Today, we are excited to introduce content encryption—a new capability that ensures secure storage for your documents while maintaining the flexibility you need, including support for range requests.

Why Content Encryption Matters

Your content deserves the highest level of protection. With ContentGrid’s application-side encryption, your documents are automatically encrypted during upload and seamlessly decrypted when accessed. This means your data remains private and protected without requiring any changes to how you interact with your content.

Key benefits of ContentGrid content encryption:

• Secure encryption at rest – All content is encrypted before storage, ensuring confidentiality.
• Seamless user experience – Encryption and decryption happen transparently, without disrupting workflows.
• Application-side encryption – ContentGrid handles encryption independently of S3-compatible storage, making it more flexible.
• Per-application encryption keys – Each application has its own encryption keys, enhancing isolation and security.
• Safe backups – The encrypted documents can be backed-up directly, without the backup system needing access to decryption keys. A separate database back-up contains the decryption keys.

Application-side encryption in ContentGrid is safer than storage based encryption, as the storage system never has access to the encryption keys. ContentGrid encrypts the data before sending it to the storage system. That means even if someone gains direct access to the storage, they will only see encrypted data. Only ContentGrid (holding the encryption keys) can decrypt the data, preventing direct access through the storage provider.

With storage-side encryption, the storage system automatically encrypts whatever is stored and decrypts when data is requested. If an attacker can pose as the a legitimate storage user, they might still retrieve unencrypted data, as the storage system will transparently decrypt it for all requests.

Supporting Range Requests: Fast Access to Large Files

One of the biggest challenges of encrypted storage is efficiently retrieving only the necessary parts of large files. ContentGrid supports HTTP range requests, allowing clients to fetch specific portions of an encrypted document without downloading the entire file.

What Are Range Requests?

Range requests let you retrieve specific byte ranges of a file, which is especially useful when working with large media files or documents. Examples include:

• Streaming videos – A video player can seek to a specific timestamp without loading the entire file.
• Reading PDFs – A document viewer can display only the requested page instead of downloading the full document.
• Resuming downloads – Large files can be downloaded in chunks, improving reliability over slow connections.

By supporting range requests directly on encrypted content, ContentGrid ensures that your applications maintain optimal performance without sacrificing security.

How It Works

ContentGrid uses a data encryption key (DEK) model to balance security and performance.

With Data Encryption Keys (DEKs), each document has their own independent encryption key.

Currently, DEKs are managed by the application and stored in its database, without additional layers of key encryption.