Decentralized storage networks are peer-to-peer protocols that distribute data across independent storage providers, paid in native tokens to store and prove availability, rather than relying on a central provider like AWS or Google.
Well known examples include Filecoin, Arweave, Zero Gravity (0G), and BNB Greenfield. These networks remove single points of failure, eliminate vendor lock-in, and make data availability a public good. But they’re built mostly for availability, not privacy. Storing data on them is, essentially, like publishing it.
The missing layer
On a decentralized storage network, any node that holds your data can read it. Retrieval is permissionless by design. There is no native encryption layer, and while there are some solutions, including some form of access control is not straightforward e.g. generally no way to express a rule like "only Alice can read this file" or "this expires in 90 days."
For a narrow set of use cases (public datasets, open media, NFT metadata) this is fine. But the moment you introduce more sensitive information, it’s not. Health records, legal documents, RWA collateral, AI training sets, personal memories - none of these should be stored in plaintext on a public network.
Client-side encryption is the standard workaround, but it just moves the problem. Lose your key and the data is gone. Share a key and you can never take it back, even if you revoke access, anyone who held the key could have already copied the underlying data.
Storage with privacy
Oasis Sapphire is an EVM-compatible smart contract platform that runs inside TEEs - isolated regions of a processor where code executes privately. The host operating system, cloud provider, and node operator cannot read its memory or tamper with execution. The output can be cryptographically attested, meaning anyone can verify that a specific contract ran exactly as published.
Applied to storage, this creates a handy, plug-in privacy layer.
A Sapphire contract holds encryption keys as private state inside the TEE, invisible to outside observers. When a user uploads a file, the contract encrypts it inside the enclave using a per-file key. Only the ciphertext reaches the storage network, the network never sees the plaintext. When a user requests access, the contract decrypts and returns the file over an encrypted channel.
For example, Flashback, a personal memory app where users store health data, grief journals, and family histories, uses Sapphire in combination with 0G. The storage network handles availability. Sapphire handles confidentiality.
Storage with access controls
Encryption solves confidentiality, but it doesn't solve access. Once a key is shared there’s no revocation, no expiry, no conditions you can enforce after the fact.
Oasis also has a fix for this through Liquefaction, a primitive built on Sapphire that allows rich, multi-party access policies to be attached to private keys held inside TEEs. With Liquefaction, the key never leaves the enclave. Instead of giving a user a key, you give the enclave a ruleset and it decides when and whether to act.
That action can be almost anything. Decrypting a file, signing a transaction, releasing an asset. The conditions governing it can be almost anything too.
- Token gate - access granted only to wallets holding a specific token
- Time lock - files decryptable only within a defined date range
- Whitelist - only verified addresses can retrieve, enforcing permissioned access
- Geo-restriction - block access from sanctioned jurisdictions
- Pay-per-access - an onchain micro-payment check is run before a key is released
The policy logic runs privately inside the TEE, meaning the rules themselves are confidential. An observer sees only that access was granted or denied, not why. This is what separates Liquefaction from standard access control, the conditions can't be read, gamed, or circumvented by anyone outside the enclave.
The bottom line: the storage network guarantees the file exists. Sapphire guarantees it's encrypted. Liquefaction adds a new level of programmability on top.
Conclusion
Taken together, these two properties (confidentiality & programmability) make decentralized storage more viable for a broader category of data and use case.
For builders, both are additive. Existing storage SDK calls are unchanged. Sapphire sits as a pre-write encryption step, and Liquefaction governs who can do what, under what conditions, and for how long. Neither requires rebuilding anything from scratch.
Any app that handles sensitive data can now use decentralized storage without becoming a custodian of it, and without trusting any single party to keep it private. And any app that needs to govern that data, can now add fine grain policies, without exposing the rules to anyone.
.png)
.png)