KwikID DocumentationArchitecture
Design, technical specifications, and deployment model for the Aadhaar Data Vault
Architecture and Technical Design
Here you’ll find the design, tech specs, and deployment model for the Aadhaar Data Vault on your AWS cloud.
Overview
The vault is a dedicated, secure system that holds the only copy of Aadhaar numbers (and linked data) in your organization. Everything else refers to Aadhaar only by Reference Keys; the mapping lives inside the vault.
Technical Specifications
We use these crypto and security standards, in line with UIDAI and common practice:
| Component | Specification | Purpose |
|---|---|---|
| Public key encryption | RSA 2048 | Key exchange and digital signatures for vault operations |
| Symmetric encryption | AES 256 | Encryption of Aadhaar numbers and connected data at rest |
| Key storage | HSM only | Encryption keys are stored in Hardware Security Module (HSM) devices only, as mandated by UIDAI |
| Reference Key | UUID (e.g. hex) | Non-reversible: you can’t derive the Aadhaar from the key alone |
High-Level Architecture
Business systems and DBs hold only Reference Keys; the vault holds the mapping and encrypted Aadhaar data.
Deployment Model
- Cloud: AWS (your account).
- Network isolation: The vault and its APIs sit in a locked-down network zone, separate from the internet and other internal zones. Only trusted traffic is allowed in and out.
- Access: You talk to the vault through an API or microservice that handles mapping and access control. App-level checks decide who can call it.
- Single logical instance: Aadhaar (and eKYC/cKYC XML where needed) lives in one logical vault with its reference keys. HA/DR can be added with the same security as the main vault.
Data Flow (Simplified)
- Ingestion: When you receive an Aadhaar (or eKYC/cKYC data), you send it to the vault API. The vault creates a Reference Key, stores the encrypted data, and returns the key.
- Usage: Your systems store and use only the Reference Key. They never store the actual Aadhaar.
- Retrieval: When you need the real Aadhaar (e.g. for authentication), an authorized system calls the vault with the Reference Key. The vault decrypts and returns it only to authorized, logged requests.
Benefits
- Clear boundary: Aadhaar in one place; Reference Keys everywhere else.
- Regulatory fit: Matches UIDAI’s idea of a dedicated vault with restricted, secure access.
- Auditability: All vault access can be logged and monitored.
Next Steps
- Reference Keys: how they work and tokenization
- Security and Compliance: encryption, access control, UIDAI
- Implementation and APIs: integration and APIs