Skip to main content

Data Security

Walrus provides decentralized storage for application and user data. All data stored on Walrus is public and can be accessed by anyone. Walrus natively provides data availability and integrity guarantees. It does not provide confidentiality.

caution

Blob IDs are not secrets. Anyone with a blob ID can fetch the blob. Do not upload data to Walrus that you are not willing to make public.

Data availability

The encoding mechanisms applied by Walrus guarantee that blobs can be written and remain available as long as 2/3 of the shards are operated by storage nodes that act honestly. After data is written, reads are possible even if as few as 1/3 of the nodes are available.

Each blob has a point of availability (PoA) observable through an event on Sui. Before the PoA, you are responsible for ensuring blob availability and upload to Walrus. After the PoA, Walrus is responsible for maintaining blob availability for the full storage period.

If a blob is incorrectly encoded, storage nodes can produce an inconsistency proof. Reads for blob IDs with inconsistency proofs return None. Correctly stored blobs cannot have inconsistency proofs generated for them.

You can learn more in the whitepaper and in the Walrus fundamentals documentation.

Data integrity

Walrus guarantees that any data read corresponds to what the user who uploaded the data intended. Because the encoding is done by the client, it is possible that this encoding is incorrect, either by mistake or on purpose. This causes some subtleties, which are described in the encoding documentation.

Data confidentiality

Walrus does not provide native encryption for data. By default, all blobs stored in Walrus are public and discoverable by everyone. Walrus does not currently document a confidentiality mechanism.

Nautilus: Secure and verifiable off-chain computation

Nautilus is a framework for secure and verifiable off-chain computation on Sui. It enables you to delegate sensitive or resource-intensive tasks to a self-managed trusted execution environment (TEE) while using smart contract verification to preserve trust onchain.

Use Nautilus for hybrid apps that require private data handling, complex computations, or integration with external Web2 systems. The framework ensures computations are tamper-resistant, isolated, and cryptographically verifiable.

Nautilus currently supports self-managed AWS Nitro Enclave TEEs. You can verify AWS-signed enclave attestations onchain using Move smart contracts. See the GitHub repository for the reproducible build template.

Use cases

  • Trusted oracles: Process off-chain data from Web2 services or decentralized storage platforms like Walrus in a tamper-resistant way.
  • AI agents: Securely run AI models for inference or execute agentic workflows while providing data and model provenance onchain.
  • DePIN solutions: Enable private data computation in IoT and supply chain networks.
  • Fraud prevention: Secure order matching, settlement, and multi-party computations for DEXs and layer 2 solutions.
  • Identity management: Provide onchain verifiability for decentralized governance with proof of tamper resistance.

To get started, see Using Nautilus.