Encryption and Access Control

Public IPFS CIDs are world-readable — anyone with the link can fetch the file. For private documents, gated media, or encrypted NFTs, builders encrypt before upload and distribute decryption keys through wallets, threshold networks, or on-chain conditions.

Lit Protocol and similar networks split keys across nodes that release shares only when on-chain conditions pass. Encrypted ERC-721 extensions tie decryption to token ownership so reselling the NFT transfers access. Enterprise teams may use identity-based encryption with off-chain ACL servers — less pure, sometimes more practical.

Document your threat model. Encryption protects confidentiality, not availability. A pinned encrypted blob still needs pinning. Metadata side channels — file size, upload timing — can leak information even when content is ciphertext.