Cloud Storage: Secure Cloud Credential Storage for EUDI Wallets

Cloud storage in the EUDI Wallet context refers to the practice of storing verifiable credentials and associated cryptographic material in secure, encrypted remote infrastructure rather than exclusively on the user's local device. This architecture enables multi-device credential access, automatic backup, smooth credential recovery when devices are lost or replaced, and centralized security monitoring. Cloud-stored credentials remain end-to-end encrypted, with decryption keys controlled solely by the wallet holder.

The EUDI Wallet ecosystem supports multiple storage architectures, each with distinct trade-offs:

• •Device-only storage: Credentials are stored in the device's secure element or Trusted Execution Environment. This provides strong isolation but creates a single point of failure. If the device is lost, damaged, or stolen, credentials must be reissued from scratch. Countries like Germany, with their strong tradition of hardware-based identity (the Personalausweis), tend to favor this model.
• •Cloud-first storage: Credentials are primarily stored server-side, with the device acting as a secure access terminal. The private keys may reside in a remote HSM or be split between the device and cloud using threshold cryptography. France Identite exemplifies this approach, enabling users to access their identity credentials from any authenticated device.
• •Hybrid storage: Credentials are stored locally for offline use but synchronized to an encrypted cloud backup. The cloud copy enables recovery and multi-device access while the local copy ensures credentials work without internet connectivity. This hybrid model is gaining popularity as it combines the strengths of both approaches.

Storing identity credentials in the cloud demands rigorous security measures. The EUDI framework requires several layers of protection:

End-to-end encryption: All credential data is encrypted before leaving the device using keys derived from the user's authentication factors. The cloud provider stores only encrypted blobs and cannot decrypt them. Even a complete breach of the cloud storage backend would not expose any credential data.

Key management: Encryption keys are either stored in the device secure element and never transmitted, or split using threshold cryptography where neither the device nor the cloud alone holds a complete key. Some implementations use a remote Hardware Security Module (HSM) to perform cryptographic operations server-side, where the HSM is configured so that even the cloud operator cannot extract keys.

Access control: Retrieving cloud-stored credentials requires strong multi-factor authentication -- typically biometric verification on the device combined with a PIN and a device attestation proving the wallet software is genuine. This prevents unauthorized access even if someone obtains the user's cloud account credentials.

Audit logging: Every access to cloud-stored credentials is logged with tamper-evident mechanisms. Users can review when and from which devices their credentials were accessed, providing transparency and enabling detection of unauthorized access attempts.

Cloud storage of identity credentials raises significant data sovereignty questions. The eIDAS 2.0 regulation and GDPR impose strict requirements on where personal data can be stored and processed. For EUDI Wallet cloud storage, this means:

• •Cloud infrastructure must be physically located within the EU/EEA, with no replication to non-EU jurisdictions
• •The cloud provider must not have the ability to access unencrypted credential data, even under legal compulsion
• •Users must have the right to delete all cloud-stored data and export their credentials (data portability)
• •Data Protection Impact Assessments (DPIAs) must be conducted for any cloud storage implementation

Several EU member states are building their EUDI Wallet cloud infrastructure on European sovereign cloud platforms to ensure full compliance with these requirements and avoid dependencies on non-EU cloud providers.