Why This Matters
Organizations are migrating critical data to cloud platforms, SaaS products, and managed databases — and trusting those operators with the keys. “Encrypted at rest” sounds reassuring until you realize it means the cloud provider holds the decryption key, not you. A subpoena, a breach, a rogue employee, or a foreign government’s data access law can expose your data without your knowledge or consent. Data sovereignty is not about where your servers sit. It is about who holds the keys.
The Technology
What is data sovereignty?
Data sovereignty means that the organization that creates or owns data retains exclusive control over who can access it, under what conditions, and governed by which jurisdiction’s laws. It is a legal, technical, and operational concept:
- Legal: Which country’s laws govern this data? Can a foreign court compel disclosure?
- Technical: Who holds the decryption keys? Can the storage operator read the plaintext?
- Operational: Can the organization move its data to a different provider without losing access or breaking references?
The encryption spectrum
Not all encryption is equal. There is a spectrum from least to most sovereign:
| Level | Who holds the key? | Operator can read data? |
|---|---|---|
| No encryption | N/A | Yes |
| Encryption in transit (TLS) | The server | Yes, once received |
| Encryption at rest (server-side) | The cloud operator | Yes, transparently |
| Customer-managed keys (CMK/BYOK) | Customer, but operator has access during processing | In practice, often yes |
| End-to-end encryption (E2EE) | Only the data owner | No — not the operator, not the cloud provider, not the storage layer |
Most enterprise databases and SaaS platforms operate at level 2 or 3. They encrypt your data on their disks, but they hold the master key. They can — and routinely do — decrypt data for indexing, query processing, backups, and support operations.
End-to-end encryption means data is encrypted before it leaves your control and is never decrypted by the infrastructure. The storage layer, the network, and the operator only ever see ciphertext.
How does E2EE work for data infrastructure?
The challenge with E2EE for databases (as opposed to messaging apps) is that you still need to query encrypted data. Several approaches exist:
- Encrypt-then-index. Build encrypted indexes (Bloom filters, encrypted HAMT structures) that allow the server to route queries without seeing plaintext. The client decrypts results locally.
- Deterministic encryption (e.g., AES-SIV). Encrypts the same plaintext to the same ciphertext, enabling equality lookups on encrypted data without revealing the key.
- Client-side query processing. The server returns encrypted blocks; the client decrypts and filters locally. Works well for content- addressed systems where blocks are self-contained.
Each approach trades off query expressiveness against security. The key principle is: the server never needs your plaintext to serve your queries.
Opportunities
-
Regulatory control by architecture. Regulations like GDPR, DORA, HIPAA, and the EU Data Act put pressure on access control, auditability, data location, operational resilience, and cross-border processing. End-to-end encryption does not solve every regulatory obligation by itself, but it makes one question much cleaner: the operator cannot read the data because the operator never holds the plaintext key.
-
Cloud without trust. Organizations can use any cloud provider, any region, any managed service — and the provider is mathematically excluded from reading the data. This decouples infrastructure decisions from data governance decisions.
-
Breach resilience. If an attacker compromises the storage layer, they get ciphertext. Without the keys (which never left the data owner’s control), the data is useless. This transforms a data breach into a storage breach — still serious, but fundamentally different in impact.
-
Supply chain security. When data flows between organizations (suppliers, partners, regulators), E2EE ensures that intermediaries in the pipeline cannot read or modify the content. The recipient verifies authenticity through cryptographic signatures.
-
Multi-tenant isolation. In shared infrastructure, each tenant’s data is encrypted with their own keys. Even if a software bug exposes data across tenant boundaries, the exposed content is encrypted and unreadable.
Challenges
-
Key management. The organization must manage its own encryption keys — generation, distribution, rotation, revocation, and recovery. Losing the key means losing the data permanently. This is the operational cost of sovereignty.
-
Performance overhead. Encryption and decryption add CPU cost to every read and write. Modern CPUs with AES-NI hardware acceleration make this manageable (typically single-digit percentage overhead), but it must be accounted for in capacity planning.
-
Query limitations. Not all query operations are possible over encrypted data. Full-text search, range queries, and aggregations may require client-side processing or specialized encrypted index structures. Systems must be transparent about what queries work server-side versus client-side.
-
Collaboration complexity. Sharing encrypted data with another party requires a key exchange mechanism — typically based on public key cryptography or delegated decryption tokens. The access control model must be built into the encryption scheme, not bolted on at the application layer.
-
Vendor lock-in via key custody. Some “BYOK” (Bring Your Own Key) offerings require the customer to deposit their key with the provider for processing. This is not true E2EE — it is key escrow with extra steps. Scrutinize the key custody model.
What to Look For
When evaluating data infrastructure for sovereignty, ask:
-
Who decrypts? If the answer is “the server” or “the managed service,” the operator has access to your plaintext. End-to-end means the client decrypts.
-
Can the operator read your data under any circumstance? Ask explicitly. “Encrypted at rest” is not a sufficient answer. Can support engineers access it? Can a court order compel the operator to decrypt? If the operator holds the key, the answer is yes.
-
What happens when you leave? Can you export your data and decrypt it independently? Or are you locked into the provider’s key management infrastructure?
-
How is access control enforced? Is it application-layer ACLs (which the operator can override) or cryptographic access control (which the operator cannot)? The difference is whether you trust the operator or trust mathematics.
-
Is encryption applied to the data model, not just the storage layer? Encrypting disk blocks (what most cloud providers do) is different from encrypting the logical data (nodes, edges, properties) before they reach the storage layer. The latter survives infrastructure changes; the former does not.
This article is part of the WWKG explainer series — plain-language introductions to the technologies and ideas behind modern knowledge graph infrastructure.
