Reference

What is DRM for logs?

DRM is a familiar idea. Here is a clear definition, where it shows up, and what changes when you point the same mechanism at your own audit records.

The word itself

DRM stands for digital rights management. It is the family of techniques that let a publisher say “this artifact is mine, you can use it under these conditions, and I can change those conditions later.”

In practice, DRM is two things glued together:

Encryption so the artifact is opaque to anyone without a key.
Key distribution so only the parties you approve can get the key, and only while you still approve them.

Everything else (watermarking, counting plays, geo-locking, expiring a rental) sits on top of those two primitives.

Where you have seen it before

1998

DVD / CSS

Players licensed a decryption key.

2003

iTunes FairPlay

Songs locked to your Apple ID.

2007

Kindle

Books could be pulled from your device.

2013

Netflix / Widevine

Streams decrypted only in licensed browsers.

2020

Enterprise IRM

Email and PDFs revocable after send.

Each of those systems uses the same two ingredients: encryption plus a grant list. The interesting question is always who holds the grant list. When you hold it yourself, you decide which partners and systems see which fields, for as long as you choose.

The shape of the tool

The mechanism is neutral. Pointed at a record you publish, it lets you grant narrow, revocable access to exactly the readers you pick. You are the issuer and the holder of the grant list at the same time.

DRM, pointed at your own logs

Your application emits records all day. Orders placed. Decisions made. Approvals granted. Payments settled. Moderation calls. These logs are the receipts your business runs on.

Traditionally you either keep them plain in a database (easy to read, easy to leak) or you lock them away and lose the ability to share specific pieces with partners and regulators. TN applies the DRM pattern to each individual log entry so you get both: the record is sealed by default, and you hand out narrow grants by choice.

Logs the old way

Written in plaintext. Sometimes protected by draconian access permissions, sometimes leaked to your datadog consultants, sometimes leaked on S3.

Sharing a field with a partner means copying rows into a second system, with a second permission model, who knows if it leaks there?

Logs with TN

Each entry is signed the moment it is written, so anyone can prove it came from you. Anyone without permission sees the record as scrambled text — readable only with a key they do not have.

Sharing a field with a partner is a single setting on your side. No copy to a second database, no second permission system. They read the same record you do, with only the fields you chose made visible to them.

Taking that access away is one action too. From the next entry on, their key stops working and the content goes back to scrambled.

What a log entry looks like, gently

To make this concrete, here is the same order-placed event at three moments in its life. The scrambled rows below are ciphertext: the original value run through a key so the characters look random. Turn the key on a reader and those rows snap back to plain text for that reader only. Without the key, anyone else sees the scramble.

Do not try to read the scrambled rows. Just notice which fields are legible to whom at each step.

Before a reader is granted

order.placed

event_type: "order.placed"

timestamp: "2026-04-22T14:02:11Z"

order_id: E3Ia...q9w==

amount: Rh2v...8kT==

customer: pL0a...m2X==

sig: ed25519:...

Sealed. Only the publisher can open it.

After you grant the partner

order.placed (for partner)

event_type: "order.placed"

timestamp: "2026-04-22T14:02:11Z"

order_id: "ord_8fKq"

amount: 49.00

customer: pL0a...m2X==

sig: ed25519:...

Order ID and amount legible. Customer field still sealed.

After you revoke them

order.placed (for partner)

event_type: "order.placed"

timestamp: "2026-04-22T14:02:11Z"

order_id: n2Kj...v8w==

amount: b7xQ...31P==

customer: Tq9a...l4M==

sig: ed25519:...

Fresh keys, fresh scramble. The old grant opens nothing new.

Three things to notice, quietly:

The signature is always public. Anyone can prove the record came from you. Nothing about DRM hides origin.
Event type and timestamp stay visible. Auditors can tell an event happened, even if they cannot read the payload.
The partner’s view is a subset, not a copy. Same record, filtered.

About revocation

Revocation does not reach back and scramble records the partner already decrypted. That ship sails at the moment of first grant. What revocation does is stop the next record, and every record after that, from ever being readable to the revoked party.

This is the same guarantee Netflix gives an expired rental. The tool is identical. Here, you are the one issuing the rental.

Why this matters now

Compliance regimes want receipts they can audit. Partners want data they can rely on without having to trust your database layout. Regulators want provenance they can verify without calling you. Plaintext logs expose too much. Fully sealed logs cannot be shared. DRM for logs gives you the middle path: sealed by default, granted by choice, revocable at will. The cryptography has been in the field for twenty-five years. The new part is pointing it at a log line instead of at a song.

← Back to the vault