@twin.org/synchronised-storage-service 0.0.1-next.3 → 0.0.1-next.4

package/dist/esm/index.mjs

@@ -1,13 +1,15 @@
 import { property, entity, EntitySchemaFactory, EntitySchemaHelper, ComparisonOperator } from '@twin.org/entity';
-import { Guards, ComponentFactory, Is, ObjectHelper, Converter, RandomHelper, BaseError, NotFoundError, GeneralError } from '@twin.org/core';
+import { Guards, ComponentFactory, Is, Converter, Compression, CompressionType, ObjectHelper, BaseError, GeneralError, RandomHelper, NotFoundError, UnauthorizedError } from '@twin.org/core';
 import { HttpStatusCode } from '@twin.org/web';
+import { BlobStorageConnectorFactory } from '@twin.org/blob-storage-models';
 import { EntityStorageConnectorFactory } from '@twin.org/entity-storage-models';
 import { DocumentHelper, IdentityConnectorFactory } from '@twin.org/identity-models';
 import { LoggingConnectorFactory } from '@twin.org/logging-models';
+import { ProofTypes } from '@twin.org/standards-w3c-did';
 import { SyncChangeOperation, SynchronisedStorageTopics } from '@twin.org/synchronised-storage-models';
+import { VaultEncryptionType, VaultConnectorFactory } from '@twin.org/vault-models';
 import { VerifiableStorageConnectorFactory } from '@twin.org/verifiable-storage-models';
-import { BlobStorageCompressionType } from '@twin.org/blob-storage-models';
-import { ProofTypes } from '@twin.org/standards-w3c-did';
+import { RSA } from '@twin.org/crypto';
 
 // Copyright 2024 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
@@ -100,8 +102,8 @@ function generateRestRoutesSynchronisedStorage(baseRouteName, componentName) {
         operationId: "synchronisedStorageSyncChangeSetRequest",
         summary: "Request that the node perform a sync request for a changeset.",
         tag: tagsSynchronisedStorage[0].name,
-        method: "GET",
-        path: `${baseRouteName}/`,
+        method: "POST",
+        path: `${baseRouteName}/sync-changeset`,
         handler: async (httpRequestContext, request) => synchronisedStorageSyncChangeSetRequest(httpRequestContext, componentName, request),
         requestType: {
             type: "ISyncChangeSetRequest",
@@ -109,8 +111,29 @@ function generateRestRoutesSynchronisedStorage(baseRouteName, componentName) {
                 {
                     id: "synchronisedStorageSyncChangeSetRequestExample",
                     request: {
-                        query: {
-                            changeSetStorageId: "12345"
+                        body: {
+                            id: "0909090909090909090909090909090909090909090909090909090909090909",
+                            dateCreated: "2025-05-29T01:00:00.000Z",
+                            nodeIdentity: "did:entity-storage:0xd2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2",
+                            changes: [
+                                {
+                                    entity: {
+                                        dateModified: "2025-01-01T00:00:00.000Z"
+                                    },
+                                    id: "test-id-1",
+                                    operation: "set"
+                                }
+                            ],
+                            proof: {
+                                "@context": "https://www.w3.org/ns/credentials/v2",
+                                created: "2025-05-29T01:00:00.000Z",
+                                cryptosuite: "eddsa-jcs-2022",
+                                proofPurpose: "assertionMethod",
+                                proofValue: "z5efBErQs3YBLZoH7jgKMQaRc9YjAxA5XSYKmW3FmTBDw9WionT2NS2x1SMvcRyBvw53cSSoaCT1xQH9tkWngGCX3",
+                                type: "DataIntegrityProof",
+                                verificationMethod: "did:entity-storage:0xd0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0#synchronised-storage-assertion"
+                            },
+                            storageKey: "test-type"
                         }
                     }
                 }
@@ -120,9 +143,61 @@ function generateRestRoutesSynchronisedStorage(baseRouteName, componentName) {
             {
                 type: "INoContentResponse"
             }
-        ]
+        ],
+        // Authentication is provided by the proof in the request body.
+        skipAuth: true
+    };
+    const getDecryptionKeyRoute = {
+        operationId: "synchronisedStorageGetDecryptionKeyRequest",
+        summary: "Request the decryption key.",
+        tag: tagsSynchronisedStorage[0].name,
+        method: "POST",
+        path: `${baseRouteName}/decryption-key`,
+        handler: async (httpRequestContext, request) => synchronisedStorageGetDecryptionKeyRequest(httpRequestContext, componentName, request),
+        requestType: {
+            type: "ISyncChangeSetRequest",
+            examples: [
+                {
+                    id: "synchronisedStorageSyncGetDecryptionKeyRequestExample",
+                    request: {
+                        body: {
+                            nodeIdentity: "did:entity-storage:0xd2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2",
+                            proof: {
+                                "@context": "https://www.w3.org/ns/credentials/v2",
+                                created: "2025-05-29T01:00:00.000Z",
+                                cryptosuite: "eddsa-jcs-2022",
+                                proofPurpose: "assertionMethod",
+                                proofValue: "z5efBErQs3YBLZoH7jgKMQaRc9YjAxA5XSYKmW3FmTBDw9WionT2NS2x1SMvcRyBvw53cSSoaCT1xQH9tkWngGCX3",
+                                type: "DataIntegrityProof",
+                                verificationMethod: "did:entity-storage:0xd0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0#synchronised-storage-assertion"
+                            }
+                        }
+                    }
+                }
+            ]
+        },
+        responseType: [
+            {
+                type: "ISyncDecryptionKeyResponse",
+                examples: [
+                    {
+                        id: "synchronisedStorageSyncGetDecryptionKeyResponseExample",
+                        response: {
+                            body: {
+                                decryptionKey: "z5efBErQs3YBLZoH7jgKMQaRc9YjAxA5XSYKmW3FmTBDw9WionT2NS2x1SMvcRyBvw53cSSoaCT1xQH9tkWngGCX3"
+                            }
+                        }
+                    }
+                ]
+            },
+            {
+                type: "IUnauthorizedResponse"
+            }
+        ],
+        // Authentication is provided by the proof in the request body.
+        skipAuth: true
     };
-    return [syncChangeSetRoute];
+    return [syncChangeSetRoute, getDecryptionKeyRoute];
 }
 /**
  * Perform the sync change set operation.
@@ -133,13 +208,31 @@ function generateRestRoutesSynchronisedStorage(baseRouteName, componentName) {
  */
 async function synchronisedStorageSyncChangeSetRequest(httpRequestContext, componentName, request) {
     Guards.object(ROUTES_SOURCE, "request", request);
-    Guards.object(ROUTES_SOURCE, "request.query", request.query);
+    Guards.object(ROUTES_SOURCE, "request.body", request.body);
     const component = ComponentFactory.get(componentName);
-    await component.syncChangeSet(request.query.changeSetStorageId);
+    await component.syncChangeSet(request.body);
     return {
         statusCode: HttpStatusCode.noContent
     };
 }
+/**
+ * Request the decryption key.
+ * @param httpRequestContext The request context for the API.
+ * @param componentName The name of the component to use in the routes.
+ * @param request The request.
+ * @returns The response object with additional http response properties.
+ */
+async function synchronisedStorageGetDecryptionKeyRequest(httpRequestContext, componentName, request) {
+    Guards.object(ROUTES_SOURCE, "request", request);
+    Guards.object(ROUTES_SOURCE, "request.body", request.body);
+    const component = ComponentFactory.get(componentName);
+    const key = await component.getDecryptionKey(request.body.nodeIdentity, request.body.proof);
+    return {
+        body: {
+            decryptionKey: key
+        }
+    };
+}
 
 const restEntryPoints = [
     {
@@ -159,6 +252,163 @@ function initSchema() {
     EntitySchemaFactory.register("SyncSnapshotEntry", () => EntitySchemaHelper.getSchema(SyncSnapshotEntry));
 }
 
+var mainnet = "";
+var testnet = "";
+var devnet = "";
+var verifiableStorageKeys = {
+	mainnet: mainnet,
+	testnet: testnet,
+	devnet: devnet
+};
+
+/**
+ * Class for performing blob storage operations.
+ */
+class BlobStorageHelper {
+    /**
+     * Runtime name for the class.
+     */
+    CLASS_NAME = "BlobStorageHelper";
+    /**
+     * The logging connector to use for logging.
+     * @internal
+     */
+    _logging;
+    /**
+     * The vault connector.
+     * @internal
+     */
+    _vaultConnector;
+    /**
+     * The blob storage connector to use.
+     * @internal
+     */
+    _blobStorageConnector;
+    /**
+     * The id of the vault key to use for encrypting/decrypting blobs.
+     * @internal
+     */
+    _blobStorageEncryptionKeyId;
+    /**
+     * Is this a trusted node.
+     * @internal
+     */
+    _isTrustedNode;
+    /**
+     * Create a new instance of BlobStorageHelper.
+     * @param logging The logging connector to use for logging.
+     * @param vaultConnector The vault connector to use for for the encryption key.
+     * @param blobStorageConnector The blob storage component to use.
+     * @param blobStorageEncryptionKeyId The id of the vault key to use for encrypting/decrypting blobs.
+     * @param isTrustedNode Is this a trusted node.
+     */
+    constructor(logging, vaultConnector, blobStorageConnector, blobStorageEncryptionKeyId, isTrustedNode) {
+        this._logging = logging;
+        this._vaultConnector = vaultConnector;
+        this._blobStorageConnector = blobStorageConnector;
+        this._blobStorageEncryptionKeyId = blobStorageEncryptionKeyId;
+        this._isTrustedNode = isTrustedNode;
+    }
+    /**
+     * Load a blob from storage.
+     * @param blobId The id of the blob to apply.
+     * @returns The blob.
+     */
+    async load(blobId) {
+        await this._logging?.log({
+            level: "info",
+            source: this.CLASS_NAME,
+            message: "loadBlob",
+            data: {
+                blobId
+            }
+        });
+        try {
+            const encryptedBlob = await this._blobStorageConnector.get(blobId);
+            if (Is.uint8Array(encryptedBlob)) {
+                let compressedBlob;
+                // If this is a trusted node, we can decrypt the blob using the vault
+                if (this._isTrustedNode) {
+                    compressedBlob = await this._vaultConnector.decrypt(this._blobStorageEncryptionKeyId, VaultEncryptionType.Rsa2048, encryptedBlob);
+                }
+                else {
+                    // Otherwise we need the public key stored as a secret in the vault
+                    const key = await this._vaultConnector.getSecret(this._blobStorageEncryptionKeyId);
+                    const rsa = new RSA(Converter.base64ToBytes(key));
+                    compressedBlob = rsa.decrypt(encryptedBlob);
+                }
+                const decompressedBlob = await Compression.decompress(compressedBlob, CompressionType.Gzip);
+                await this._logging?.log({
+                    level: "info",
+                    source: this.CLASS_NAME,
+                    message: "loadedBlob",
+                    data: {
+                        blobId
+                    }
+                });
+                return ObjectHelper.fromBytes(decompressedBlob);
+            }
+        }
+        catch (error) {
+            await this._logging?.log({
+                level: "error",
+                source: this.CLASS_NAME,
+                message: "loadBlobFailed",
+                data: {
+                    blobId
+                },
+                error: BaseError.fromError(error)
+            });
+        }
+        await this._logging?.log({
+            level: "info",
+            source: this.CLASS_NAME,
+            message: "loadBlobEmpty",
+            data: {
+                blobId
+            }
+        });
+    }
+    /**
+     * Save a blob.
+     * @param blob The blob to save.
+     * @returns The id of the blob.
+     */
+    async saveBlob(blob) {
+        await this._logging?.log({
+            level: "info",
+            source: this.CLASS_NAME,
+            message: "saveBlob"
+        });
+        if (!this._isTrustedNode) {
+            throw new GeneralError(this.CLASS_NAME, "notTrustedNode");
+        }
+        const compressedBlob = await Compression.compress(ObjectHelper.toBytes(blob), CompressionType.Gzip);
+        const encryptedBlob = await this._vaultConnector.encrypt(this._blobStorageEncryptionKeyId, VaultEncryptionType.Rsa2048, compressedBlob);
+        try {
+            const blobId = await this._blobStorageConnector.set(encryptedBlob);
+            await this._logging?.log({
+                level: "info",
+                source: this.CLASS_NAME,
+                message: "savedBlob",
+                data: {
+                    blobId
+                }
+            });
+            return blobId;
+        }
+        catch (error) {
+            await this._logging?.log({
+                level: "error",
+                source: this.CLASS_NAME,
+                message: "saveBlobFailed",
+                error: BaseError.fromError(error)
+            });
+            throw error;
+        }
+    }
+}
+
 // Copyright 2024 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
 /**
@@ -180,10 +430,10 @@ class ChangeSetHelper {
      */
     _eventBusComponent;
     /**
-     * The blob storage component to use for remote sync states.
+     * The blob storage helper to use for remote sync states.
      * @internal
      */
-    _blobStorageComponent;
+    _blobStorageHelper;
     /**
      * The identity connector to use for signing/verifying changesets.
      * @internal
@@ -194,37 +444,73 @@ class ChangeSetHelper {
      * @internal
      */
     _decentralisedStorageMethodId;
+    /**
+     * The identity of the node that is performing the update.
+     * @internal
+     */
+    _nodeIdentity;
     /**
      * Create a new instance of ChangeSetHelper.
      * @param logging The logging connector to use for logging.
      * @param eventBusComponent The event bus component to use for events.
-     * @param blobStorageComponent The blob storage component to use for remote sync states.
      * @param identityConnector The identity connector to use for signing/verifying changesets.
+     * @param blobStorageHelper The blob storage component to use for remote sync states.
      * @param decentralisedStorageMethodId The id of the identity method to use when signing/verifying changesets.
      */
-    constructor(logging, eventBusComponent, blobStorageComponent, identityConnector, decentralisedStorageMethodId) {
+    constructor(logging, eventBusComponent, identityConnector, blobStorageHelper, decentralisedStorageMethodId) {
         this._logging = logging;
         this._eventBusComponent = eventBusComponent;
         this._decentralisedStorageMethodId = decentralisedStorageMethodId;
-        this._blobStorageComponent = blobStorageComponent;
+        this._blobStorageHelper = blobStorageHelper;
         this._identityConnector = identityConnector;
     }
+    /**
+     * Set the node identity to use for signing changesets.
+     * @param nodeIdentity The identity of the node that is performing the update.
+     */
+    setNodeIdentity(nodeIdentity) {
+        this._nodeIdentity = nodeIdentity;
+    }
     /**
      * Get and verify a changeset.
      * @param changeSetStorageId The id of the sync changeset to apply.
      * @returns The changeset if it was verified.
      */
     async getAndVerifyChangeset(changeSetStorageId) {
-        // Changesets are not encrypted as they are signed with the node identity
-        // and they are publicly accessible so that other nodes can retrieve them.
-        const blobEntry = await this._blobStorageComponent.get(changeSetStorageId, {
-            includeContent: true
+        await this._logging?.log({
+            level: "info",
+            source: this.CLASS_NAME,
+            message: "getChangeSet",
+            data: {
+                changeSetStorageId
+            }
         });
-        if (Is.stringBase64(blobEntry.blob)) {
-            const syncChangeset = ObjectHelper.fromBytes(Converter.base64ToBytes(blobEntry.blob));
-            const verified = await this.verifyChangesetProof(syncChangeset);
-            return verified ? syncChangeset : undefined;
+        try {
+            const syncChangeSet = await this._blobStorageHelper.load(changeSetStorageId);
+            if (Is.object(syncChangeSet)) {
+                const verified = await this.verifyChangesetProof(syncChangeSet);
+                return verified ? syncChangeSet : undefined;
+            }
         }
+        catch (error) {
+            await this._logging?.log({
+                level: "warn",
+                source: this.CLASS_NAME,
+                message: "getChangeSetError",
+                data: {
+                    changeSetStorageId
+                },
+                error: BaseError.fromError(error)
+            });
+        }
+        await this._logging?.log({
+            level: "info",
+            source: this.CLASS_NAME,
+            message: "getChangeSetEmpty",
+            data: {
+                changeSetStorageId
+            }
+        });
     }
     /**
      * Apply a sync changeset.
@@ -258,13 +544,18 @@ class ChangeSetHelper {
                 switch (change.operation) {
                     case SyncChangeOperation.Set:
                         if (!Is.empty(change.entity)) {
-                            // The node identity was stripped when stored in the changeset
+                            // The id was stripped from the entity as it is part of the operation
+                            // we make sure we reinstate it in the publish
+                            // Also the node identity was stripped when stored in the changeset
                             // as the changeset is signed with the node identity.
                             // so we need to restore it here.
-                            change.entity.nodeIdentity = syncChangeset.nodeIdentity;
                             await this._eventBusComponent.publish(SynchronisedStorageTopics.RemoteItemSet, {
                                 storageKey: syncChangeset.storageKey,
-                                entity: change.entity
+                                entity: {
+                                    ...change.entity,
+                                    id: change.id,
+                                    nodeIdentity: syncChangeset.nodeIdentity
+                                }
                             });
                         }
                         break;
@@ -283,10 +574,9 @@ class ChangeSetHelper {
     /**
      * Store the changeset.
      * @param syncChangeSet The sync change set to store.
-     * @param nodeIdentity The node identity to use for the changeset.
      * @returns The id of the change set.
      */
-    async storeChangeSet(syncChangeSet, nodeIdentity) {
+    async storeChangeSet(syncChangeSet) {
         await this._logging?.log({
             level: "info",
             source: this.CLASS_NAME,
@@ -295,12 +585,7 @@ class ChangeSetHelper {
                 id: syncChangeSet.id
             }
         });
-        // We don't want to encrypt the sync state as no other nodes would be able to read it
-        // the blob storage also needs to be publicly accessible so that other nodes can retrieve it
-        return this._blobStorageComponent.create(Converter.bytesToBase64(ObjectHelper.toBytes(syncChangeSet)), undefined, undefined, undefined, {
-            disableEncryption: true,
-            compress: BlobStorageCompressionType.Gzip
-        }, undefined, nodeIdentity);
+        return this._blobStorageHelper.saveBlob(syncChangeSet);
     }
     /**
      * Verify the proof of a sync changeset.
@@ -319,6 +604,32 @@ class ChangeSetHelper {
             });
             return false;
         }
+        // If the proof or verification method is missing, the proof is invalid
+        const verificationMethod = syncChangeset.proof?.verificationMethod;
+        if (!Is.stringValue(verificationMethod)) {
+            await this._logging?.log({
+                level: "error",
+                source: this.CLASS_NAME,
+                message: "verifyChangeSetProofMissing",
+                data: {
+                    id: syncChangeset.id
+                }
+            });
+        }
+        // Parse the verification method and extract the node identity
+        // this should match the node identity of the changeset
+        // otherwise you could sign a changeset for another node
+        const changeSetNodeIdentity = DocumentHelper.parseId(verificationMethod ?? "");
+        if (changeSetNodeIdentity.id !== syncChangeset.nodeIdentity) {
+            await this._logging?.log({
+                level: "error",
+                source: this.CLASS_NAME,
+                message: "verifyChangeSetProofNodeIdentityMismatch",
+                data: {
+                    id: syncChangeset.id
+                }
+            });
+        }
         const changeSetWithoutProof = ObjectHelper.clone(syncChangeset);
         delete changeSetWithoutProof.proof;
         const isValid = await this._identityConnector.verifyProof(changeSetWithoutProof, syncChangeset.proof);
@@ -350,9 +661,10 @@ class ChangeSetHelper {
      * @returns The proof.
      */
     async createChangeSetProof(syncChangeset) {
+        Guards.stringValue(this.CLASS_NAME, "nodeIdentity", this._nodeIdentity);
         const changeSetWithoutProof = ObjectHelper.clone(syncChangeset);
         delete changeSetWithoutProof.proof;
-        const proof = await this._identityConnector.createProof(syncChangeset.nodeIdentity, DocumentHelper.joinId(syncChangeset.nodeIdentity, this._decentralisedStorageMethodId), ProofTypes.DataIntegrityProof, changeSetWithoutProof);
+        const proof = await this._identityConnector.createProof(this._nodeIdentity, DocumentHelper.joinId(this._nodeIdentity, this._decentralisedStorageMethodId), ProofTypes.DataIntegrityProof, changeSetWithoutProof);
         await this._logging?.log({
             level: "info",
             source: this.CLASS_NAME,
@@ -364,6 +676,35 @@ class ChangeSetHelper {
         });
         return proof;
     }
+    /**
+     * Copy a change set.
+     * @param syncChangeSet The sync changeset to copy.
+     * @returns The id of the updated change set.
+     */
+    async copyChangeset(syncChangeSet) {
+        if (Is.stringValue(this._nodeIdentity)) {
+            const verified = await this.verifyChangesetProof(syncChangeSet);
+            if (verified) {
+                await this._logging?.log({
+                    level: "info",
+                    source: this.CLASS_NAME,
+                    message: "copyChangeSet",
+                    data: {
+                        changeSetStorageId: syncChangeSet.id
+                    }
+                });
+                // Allocate a new id to the changeset copy and re-create a proof using this nodes identity
+                const copy = ObjectHelper.clone(syncChangeSet);
+                copy.id = Converter.bytesToHex(RandomHelper.generate(32));
+                copy.proof = await this.createChangeSetProof(copy);
+                // Store the copy
+                return {
+                    syncChangeSet: copy,
+                    changeSetStorageId: await this.storeChangeSet(copy)
+                };
+            }
+        }
+    }
 }
 
 // Copyright 2024 IOTA Stiftung.
@@ -385,7 +726,7 @@ class LocalSyncStateHelper {
      * The storage connector for the sync snapshot entries.
      * @internal
      */
-    _localSyncSnapshotEntryEntityStorage;
+    _snapshotEntryEntityStorage;
     /**
      * The change set helper to use for applying changesets.
      * @internal
@@ -394,12 +735,12 @@ class LocalSyncStateHelper {
     /**
      * Create a new instance of LocalSyncStateHelper.
      * @param logging The logging connector to use for logging.
-     * @param localSyncSnapshotEntryEntityStorage The storage connector for the local sync snapshot entries.
+     * @param snapshotEntryEntityStorage The storage connector for the sync snapshot entries.
      * @param changeSetHelper The change set helper to use for applying changesets.
      */
-    constructor(logging, localSyncSnapshotEntryEntityStorage, changeSetHelper) {
+    constructor(logging, snapshotEntryEntityStorage, changeSetHelper) {
         this._logging = logging;
-        this._localSyncSnapshotEntryEntityStorage = localSyncSnapshotEntryEntityStorage;
+        this._snapshotEntryEntityStorage = snapshotEntryEntityStorage;
         this._changeSetHelper = changeSetHelper;
     }
     /**
@@ -436,7 +777,7 @@ class LocalSyncStateHelper {
         await this.setLocalChangeSnapshot(localChangeSnapshot);
     }
     /**
-     * Get the current local snapshot.
+     * Get the current local snapshot which contains just the changes for this node.
      * @param storageKey The storage key of the snapshot to get.
      * @returns The local snapshot entry.
      */
@@ -449,7 +790,7 @@ class LocalSyncStateHelper {
                 storageKey
             }
         });
-        const queryResult = await this._localSyncSnapshotEntryEntityStorage.query({
+        const queryResult = await this._snapshotEntryEntityStorage.query({
             conditions: [
                 {
                     property: "isLocalSnapshot",
@@ -491,7 +832,7 @@ class LocalSyncStateHelper {
         };
     }
     /**
-     * Set the current local snapshot.
+     * Set the current local snapshot with changes for this node.
      * @param localChangeSnapshot The local change snapshot to set.
      * @returns Nothing.
      */
@@ -504,10 +845,10 @@ class LocalSyncStateHelper {
                 storageKey: localChangeSnapshot.storageKey
             }
         });
-        await this._localSyncSnapshotEntryEntityStorage.set(localChangeSnapshot);
+        await this._snapshotEntryEntityStorage.set(localChangeSnapshot);
     }
     /**
-     * Get the current local snapshot.
+     * Get the current local snapshot with the changes for this node.
      * @param localChangeSnapshot The local change snapshot to remove.
      * @returns Nothing.
      */
@@ -520,47 +861,47 @@ class LocalSyncStateHelper {
                 snapshotId: localChangeSnapshot.id
             }
         });
-        await this._localSyncSnapshotEntryEntityStorage.remove(localChangeSnapshot.id);
+        await this._snapshotEntryEntityStorage.remove(localChangeSnapshot.id);
     }
     /**
-     * Sync local data using a remote sync state.
+     * Apply a sync state to the local node.
      * @param storageKey The storage key of the snapshot to sync with.
-     * @param remoteSyncState The sync state to sync with.
+     * @param syncState The sync state to sync with.
      * @returns Nothing.
      */
-    async syncFromRemote(storageKey, remoteSyncState) {
+    async applySyncState(storageKey, syncState) {
         await this._logging?.log({
             level: "info",
             source: this.CLASS_NAME,
-            message: "remoteSyncSynchronisation",
+            message: "applySyncState",
             data: {
-                snapshotCount: remoteSyncState.snapshots.length
+                snapshotCount: syncState.snapshots.length
             }
         });
         // Sort from newest to oldest
-        const sortedRemoteSnapshots = remoteSyncState.snapshots.sort((a, b) => new Date(b.dateCreated).getTime() - new Date(a.dateCreated).getTime());
+        const sortedSnapshots = syncState.snapshots.sort((a, b) => new Date(b.dateCreated).getTime() - new Date(a.dateCreated).getTime());
         const newSnapshots = [];
         const modifiedSnapshots = [];
-        for (const remoteSnapshot of sortedRemoteSnapshots) {
+        for (const snapshot of sortedSnapshots) {
             await this._logging?.log({
                 level: "info",
                 source: this.CLASS_NAME,
-                message: "remoteSyncSnapshotProcessing",
+                message: "applySnapshot",
                 data: {
-                    snapshotId: remoteSnapshot.id,
-                    dateCreated: new Date(remoteSnapshot.dateCreated).toISOString()
+                    snapshotId: snapshot.id,
+                    dateCreated: new Date(snapshot.dateCreated).toISOString()
                 }
             });
-            const localSnapshot = await this._localSyncSnapshotEntryEntityStorage.get(remoteSnapshot.id);
+            const localSnapshot = await this._snapshotEntryEntityStorage.get(snapshot.id);
             const remoteSnapshotWithContext = {
-                ...remoteSnapshot,
+                ...snapshot,
                 storageKey
             };
             if (Is.empty(localSnapshot)) {
                 // We don't have the snapshot locally, so we need to process it
                 newSnapshots.push(remoteSnapshotWithContext);
             }
-            else if (localSnapshot.dateModified !== remoteSnapshot.dateModified) {
+            else if (localSnapshot.dateModified !== snapshot.dateModified) {
                 // If the local snapshot has a different dateModified, we need to update it
                 modifiedSnapshots.push({
                     localSnapshot,
@@ -582,13 +923,14 @@ class LocalSyncStateHelper {
      * Process the modified snapshots and store them in the local storage.
      * @param modifiedSnapshots The modified snapshots to process.
      * @returns Nothing.
+     * @internal
      */
     async processModifiedSnapshots(modifiedSnapshots) {
         for (const modifiedSnapshot of modifiedSnapshots) {
             await this._logging?.log({
                 level: "info",
                 source: this.CLASS_NAME,
-                message: "remoteSyncSnapshotModified",
+                message: "processModifiedSnapshot",
                 data: {
                     snapshotId: modifiedSnapshot.remoteSnapshot.id,
                     localModified: new Date(modifiedSnapshot.localSnapshot.dateModified ??
@@ -607,20 +949,21 @@ class LocalSyncStateHelper {
                     }
                 }
             }
-            await this._localSyncSnapshotEntryEntityStorage.set(modifiedSnapshot.remoteSnapshot);
+            await this._snapshotEntryEntityStorage.set(modifiedSnapshot.remoteSnapshot);
         }
     }
     /**
      * Process the new snapshots and store them in the local storage.
      * @param newSnapshots The new snapshots to process.
      * @returns Nothing.
+     * @internal
      */
     async processNewSnapshots(newSnapshots) {
         for (const newSnapshot of newSnapshots) {
             await this._logging?.log({
                 level: "info",
                 source: this.CLASS_NAME,
-                message: "remoteSyncSnapshotNew",
+                message: "processNewSnapshot",
                 data: {
                     snapshotId: newSnapshot.id,
                     localModified: new Date(newSnapshot.dateCreated).toISOString()
@@ -632,11 +975,17 @@ class LocalSyncStateHelper {
                     await this._changeSetHelper.getAndApplyChangeset(storageId);
                 }
             }
-            await this._localSyncSnapshotEntryEntityStorage.set(newSnapshot);
+            await this._snapshotEntryEntityStorage.set(newSnapshot);
         }
     }
 }
 
+// Copyright 2024 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+const SYNC_STATE_VERSION = "1";
+const SYNC_POINTER_STORE_VERSION = "1";
+const SYNC_SNAPSHOT_VERSION = "1";
+
 // Copyright 2024 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
 /**
@@ -658,10 +1007,10 @@ class RemoteSyncStateHelper {
      */
     _eventBusComponent;
     /**
-     * The blob storage component to use for remote sync states.
+     * The blob storage helper.
      * @internal
      */
-    _blobStorageComponent;
+    _blobStorageHelper;
     /**
      * The verifiable storage connector to use for storing sync pointers.
      * @internal
@@ -692,22 +1041,27 @@ class RemoteSyncStateHelper {
      * @internal
      */
     _nodeIdentity;
+    /**
+     * Whether the node is trusted or not.
+     * @internal
+     */
+    _isTrustedNode;
     /**
      * Create a new instance of DecentralisedEntityStorageConnector.
      * @param logging The logging connector to use for logging.
      * @param eventBusComponent The event bus component to use for events.
-     * @param blobStorageComponent The blob storage component to use for remote sync states.
      * @param verifiableSyncPointerStorageConnector The verifiable storage connector to use for storing sync pointers.
+     * @param blobStorageHelper The blob storage helper to use for remote sync states.
      * @param changeSetHelper The change set helper to use for managing changesets.
-     * @param synchronisedStorageKey The synchronised storage key to use for verified storage operations.
+     * @param isTrustedNode Whether the node is trusted or not.
      */
-    constructor(logging, eventBusComponent, blobStorageComponent, verifiableSyncPointerStorageConnector, changeSetHelper, synchronisedStorageKey) {
+    constructor(logging, eventBusComponent, verifiableSyncPointerStorageConnector, blobStorageHelper, changeSetHelper, isTrustedNode) {
         this._logging = logging;
         this._eventBusComponent = eventBusComponent;
-        this._blobStorageComponent = blobStorageComponent;
         this._verifiableSyncPointerStorageConnector = verifiableSyncPointerStorageConnector;
         this._changeSetHelper = changeSetHelper;
-        this._synchronisedStorageKey = synchronisedStorageKey;
+        this._blobStorageHelper = blobStorageHelper;
+        this._isTrustedNode = isTrustedNode;
         this._batchResponseStorageIds = {};
         this._populateFullChanges = {};
         this._eventBusComponent.subscribe(SynchronisedStorageTopics.BatchResponse, async (response) => {
@@ -725,17 +1079,24 @@ class RemoteSyncStateHelper {
         this._nodeIdentity = nodeIdentity;
     }
     /**
-     * Create and store a change set.
+     * Set the synchronised storage key.
+     * @param synchronisedStorageKey The synchronised storage key to use.
+     */
+    setSynchronisedStorageKey(synchronisedStorageKey) {
+        this._synchronisedStorageKey = synchronisedStorageKey;
+    }
+    /**
+     * Build a changeset.
      * @param storageKey The storage key of the change set.
      * @param changes The changes to apply.
      * @param completeCallback The callback to call when the changeset is created and stored.
      * @returns The storage id of the change set if created.
      */
-    async createAndStoreChangeSet(storageKey, changes, completeCallback) {
+    async buildChangeSet(storageKey, changes, completeCallback) {
         await this._logging?.log({
             level: "info",
             source: this.CLASS_NAME,
-            message: "createAndStoreChangeSet",
+            message: "buildingChangeSet",
             data: {
                 storageKey,
                 changeCount: changes.length
@@ -794,12 +1155,14 @@ class RemoteSyncStateHelper {
             for (const change of changes) {
                 change.entity = this._populateFullChanges[storageKey].entities[change.id] ?? change.entity;
                 if (change.operation === SyncChangeOperation.Set && Is.objectValue(change.entity)) {
+                    // Remove the id from the entity as this is stored in the operation
+                    // and will be reinstated when the changeset is reconstituted
+                    ObjectHelper.propertyDelete(change.entity, "id");
                     // Remove the node identity as the changeset has this stored at the top level
                     // and we do not want to store it in the change itself to reduce redundancy
                     ObjectHelper.propertyDelete(change.entity, "nodeIdentity");
                 }
             }
-            // Add the changeset to the current snapshot
             const syncChangeSet = {
                 id: Converter.bytesToHex(RandomHelper.generate(32)),
                 dateCreated: new Date(Date.now()).toISOString(),
@@ -810,9 +1173,12 @@ class RemoteSyncStateHelper {
             try {
                 // And sign it with the node identity
                 syncChangeSet.proof = await this._changeSetHelper.createChangeSetProof(syncChangeSet);
-                // Store the changeset in the blob storage
-                const changeSetStorageId = await this._changeSetHelper.storeChangeSet(syncChangeSet, this._nodeIdentity);
-                await completeCallback(changeSetStorageId);
+                // If this is a trusted node, we also store the changeset
+                let changeSetStorageId;
+                if (this._isTrustedNode) {
+                    changeSetStorageId = await this._changeSetHelper.storeChangeSet(syncChangeSet);
+                }
+                await completeCallback(syncChangeSet, changeSetStorageId);
             }
             catch (err) {
                 await this._logging?.log({
@@ -855,23 +1221,26 @@ class RemoteSyncStateHelper {
         }
         // No current sync state, so we create a new one
         if (Is.empty(syncState)) {
-            syncState = { snapshots: [] };
+            syncState = { version: SYNC_STATE_VERSION, snapshots: [] };
         }
         // Sort the snapshots so the newest snapshot is last in the array
         const sortedSnapshots = syncState.snapshots.sort((a, b) => a.dateCreated.localeCompare(b.dateCreated));
         // Get the current snapshot, if it does not exist we create a new one
         let currentSnapshot = sortedSnapshots[sortedSnapshots.length - 1];
+        const now = new Date(Date.now()).toISOString();
         if (Is.empty(currentSnapshot)) {
             currentSnapshot = {
+                version: SYNC_SNAPSHOT_VERSION,
                 id: Converter.bytesToHex(RandomHelper.generate(32)),
-                dateCreated: new Date(Date.now()).toISOString(),
+                dateCreated: now,
+                dateModified: now,
                 changeSetStorageIds: []
             };
             syncState.snapshots.push(currentSnapshot);
         }
         else {
             // Snapshot exists, we update the dateModified
-            currentSnapshot.dateModified = new Date(Date.now()).toISOString();
+            currentSnapshot.dateModified = now;
         }
         // Add the changeset storage id to the current snapshot
         currentSnapshot.changeSetStorageIds.push(changeSetStorageId);
@@ -886,12 +1255,13 @@ class RemoteSyncStateHelper {
      * @param batchSize The batch size to use for consolidation.
      * @returns Nothing.
      */
-    async consolidateFromLocal(storageKey, batchSize) {
+    async consolidationStart(storageKey, batchSize) {
         await this._logging?.log({
             level: "info",
             source: this.CLASS_NAME,
             message: "consolidationStarting"
         });
+        // Perform a batch request to start the consolidation
         await this._eventBusComponent.publish(SynchronisedStorageTopics.BatchRequest, { storageKey, batchSize });
     }
     /**
@@ -899,44 +1269,47 @@ class RemoteSyncStateHelper {
      * @returns The sync pointer store.
      */
     async getVerifiableSyncPointerStore() {
-        try {
-            await this._logging?.log({
-                level: "info",
-                source: this.CLASS_NAME,
-                message: "verifiableSyncPointerStoreRetrieving",
-                data: {
-                    key: this._synchronisedStorageKey
-                }
-            });
-            const syncPointerStore = await this._verifiableSyncPointerStorageConnector.get(this._synchronisedStorageKey, { includeData: true });
-            if (Is.uint8Array(syncPointerStore.data)) {
-                const syncPointer = ObjectHelper.fromBytes(syncPointerStore.data);
+        if (Is.stringValue(this._synchronisedStorageKey)) {
+            try {
                 await this._logging?.log({
                     level: "info",
                     source: this.CLASS_NAME,
-                    message: "verifiableSyncPointerStoreRetrieved",
+                    message: "verifiableSyncPointerStoreRetrieving",
                     data: {
                         key: this._synchronisedStorageKey
                     }
                 });
-                return syncPointer;
+                const syncPointerStore = await this._verifiableSyncPointerStorageConnector.get(this._synchronisedStorageKey, { includeData: true });
+                if (Is.uint8Array(syncPointerStore.data)) {
+                    const syncPointer = ObjectHelper.fromBytes(syncPointerStore.data);
+                    await this._logging?.log({
+                        level: "info",
+                        source: this.CLASS_NAME,
+                        message: "verifiableSyncPointerStoreRetrieved",
+                        data: {
+                            key: this._synchronisedStorageKey
+                        }
+                    });
+                    return syncPointer;
+                }
             }
-        }
-        catch (err) {
-            if (!BaseError.someErrorName(err, NotFoundError.CLASS_NAME)) {
-                throw err;
+            catch (err) {
+                if (!BaseError.someErrorName(err, NotFoundError.CLASS_NAME)) {
+                    throw err;
+                }
             }
+            await this._logging?.log({
+                level: "info",
+                source: this.CLASS_NAME,
+                message: "verifiableSyncPointerStoreNotFound",
+                data: {
+                    key: this._synchronisedStorageKey
+                }
+            });
         }
-        await this._logging?.log({
-            level: "info",
-            source: this.CLASS_NAME,
-            message: "verifiableSyncPointerStoreNotFound",
-            data: {
-                key: this._synchronisedStorageKey
-            }
-        });
         // If no sync pointer store exists, we return an empty one
         return {
+            version: SYNC_POINTER_STORE_VERSION,
             syncPointers: {}
         };
     }
@@ -946,7 +1319,7 @@ class RemoteSyncStateHelper {
      * @returns Nothing.
      */
     async storeVerifiableSyncPointerStore(syncPointerStore) {
-        if (this._nodeIdentity) {
+        if (Is.stringValue(this._nodeIdentity) && Is.stringValue(this._synchronisedStorageKey)) {
             await this._logging?.log({
                 level: "info",
                 source: this.CLASS_NAME,
@@ -973,9 +1346,7 @@ class RemoteSyncStateHelper {
                 snapshotCount: syncState.snapshots.length
             }
         });
-        // We don't want to encrypt the sync state as no other nodes would be able to read it
-        // the blob storage also needs to be publicly accessible so that other nodes can retrieve it
-        return this._blobStorageComponent.create(Converter.bytesToBase64(ObjectHelper.toBytes(syncState)), undefined, undefined, undefined, { disableEncryption: true, compress: BlobStorageCompressionType.Gzip }, undefined, this._nodeIdentity);
+        return this._blobStorageHelper.saveBlob(syncState);
     }
     /**
      * Get the remote sync state.
@@ -992,11 +1363,8 @@ class RemoteSyncStateHelper {
                     syncPointerId
                 }
             });
-            const blobEntry = await this._blobStorageComponent.get(syncPointerId, {
-                includeContent: true
-            }, undefined, this._nodeIdentity);
-            if (Is.stringBase64(blobEntry.blob)) {
-                const syncState = ObjectHelper.fromBytes(Converter.base64ToBytes(blobEntry.blob));
+            const syncState = await this._blobStorageHelper.load(syncPointerId);
+            if (Is.object(syncState)) {
                 await this._logging?.log({
                     level: "info",
                     source: this.CLASS_NAME,
@@ -1009,10 +1377,16 @@ class RemoteSyncStateHelper {
                 return syncState;
             }
         }
-        catch (err) {
-            if (!BaseError.someErrorName(err, NotFoundError.CLASS_NAME)) {
-                throw err;
-            }
+        catch (error) {
+            await this._logging?.log({
+                level: "warn",
+                source: this.CLASS_NAME,
+                message: "getSyncStateError",
+                data: {
+                    syncPointerId
+                },
+                error: BaseError.fromError(error)
+            });
         }
         await this._logging?.log({
             level: "info",
@@ -1024,18 +1398,20 @@ class RemoteSyncStateHelper {
         });
     }
     /**
-     * Handle the batch response.
+     * Handle the batch response which is triggered from a consolidation request.
      * @param response The batch response to handle.
      */
     async handleBatchResponse(response) {
         if (Is.stringValue(this._nodeIdentity)) {
+            const now = new Date(Date.now()).toISOString();
             // Create a new snapshot entry for the current batch
             const syncChangeSet = {
                 id: Converter.bytesToHex(RandomHelper.generate(32)),
-                dateCreated: new Date(Date.now()).toISOString(),
+                dateCreated: now,
+                dateModified: now,
                 changes: response.entities.map(change => ({
                     operation: SyncChangeOperation.Set,
-                    id: change[response.primaryKey]
+                    id: change.id
                 })),
                 storageKey: response.storageKey,
                 nodeIdentity: this._nodeIdentity
@@ -1043,25 +1419,37 @@ class RemoteSyncStateHelper {
             // And sign it with the node identity
             syncChangeSet.proof = await this._changeSetHelper.createChangeSetProof(syncChangeSet);
             // Store the changeset in the blob storage
-            const changeSetStorageId = await this._changeSetHelper.storeChangeSet(syncChangeSet, this._nodeIdentity);
+            const changeSetStorageId = await this._changeSetHelper.storeChangeSet(syncChangeSet);
             // Add the changeset storage id to the snapshot ids
             this._batchResponseStorageIds[response.storageKey] ??= [];
             this._batchResponseStorageIds[response.storageKey].push(changeSetStorageId);
+            // If this is the last entry in the batch response, we can create the consolidated snapshot
             if (response.lastEntry) {
-                const syncState = { snapshots: [] };
+                // Get the current sync pointer store
+                const syncPointerStore = await this.getVerifiableSyncPointerStore();
+                let syncState;
+                if (Is.stringValue(syncPointerStore.syncPointers[response.storageKey])) {
+                    // If the sync pointer exists, we load the current sync state
+                    syncState = await this.getRemoteSyncState(syncPointerStore.syncPointers[response.storageKey]);
+                }
+                // If the sync state does not exist, we create a new one
+                syncState ??= { version: SYNC_STATE_VERSION, snapshots: [] };
                 const batchSnapshot = {
+                    version: SYNC_SNAPSHOT_VERSION,
                     id: Converter.bytesToHex(RandomHelper.generate(32)),
-                    dateCreated: new Date(Date.now()).toISOString(),
+                    dateCreated: now,
+                    dateModified: now,
                     changeSetStorageIds: this._batchResponseStorageIds[response.storageKey]
                 };
                 syncState.snapshots.push(batchSnapshot);
                 // Store the sync state in the blob storage
                 const syncStateId = await this.storeRemoteSyncState(syncState);
-                // Get the current sync pointer store
-                const syncPointerStore = await this.getVerifiableSyncPointerStore();
                 syncPointerStore.syncPointers[response.storageKey] = syncStateId;
                 // Store the verifiable sync pointer in the verifiable storage
                 await this.storeVerifiableSyncPointerStore(syncPointerStore);
+                // Remove the batch response storage ids for the storage key
+                // as we have consolidated the changes
+                delete this._batchResponseStorageIds[response.storageKey];
                 await this._logging?.log({
                     level: "info",
                     source: this.CLASS_NAME,
@@ -1130,16 +1518,21 @@ class SynchronisedStorageService {
      * @internal
      */
     _eventBusComponent;
+    /**
+     * The vault connector.
+     * @internal
+     */
+    _vaultConnector;
     /**
      * The storage connector for the sync snapshot entries.
      * @internal
      */
     _localSyncSnapshotEntryEntityStorage;
     /**
-     * The blob storage component to use for remote sync states.
+     * The blob storage connector to use for remote sync states.
      * @internal
      */
-    _blobStorageComponent;
+    _blobStorageConnector;
     /**
      * The verifiable storage connector to use for storing sync pointers.
      * @internal
@@ -1160,6 +1553,11 @@ class SynchronisedStorageService {
      * @internal
      */
     _trustedSynchronisedStorageComponent;
+    /**
+     * The blob storage helper.
+     * @internal
+     */
+    _blobStorageHelper;
     /**
      * The change set helper.
      * @internal
@@ -1180,6 +1578,11 @@ class SynchronisedStorageService {
      * @internal
      */
     _config;
+    /**
+     * The synchronised storage key to use for the remote synchronised storage.
+     * @internal
+     */
+    _synchronisedStorageKey;
     /**
      * The flag to determine if the service has been started.
      * @internal
@@ -1204,13 +1607,13 @@ class SynchronisedStorageService {
         Guards.object(this.CLASS_NAME, "options.config", options.config);
         this._eventBusComponent = ComponentFactory.get(options.eventBusComponentType ?? "event-bus");
         this._logging = LoggingConnectorFactory.getIfExists(options.loggingConnectorType ?? "logging");
+        this._vaultConnector = VaultConnectorFactory.get(options.vaultConnectorType ?? "vault");
         this._localSyncSnapshotEntryEntityStorage = EntityStorageConnectorFactory.get(options.syncSnapshotStorageConnectorType ?? "sync-snapshot-entry");
         this._verifiableSyncPointerStorageConnector = VerifiableStorageConnectorFactory.get(options.verifiableStorageConnectorType ?? "verifiable-storage");
-        this._blobStorageComponent = ComponentFactory.get(options.blobStorageComponentType ?? "blob-storage");
+        this._blobStorageConnector = BlobStorageConnectorFactory.get(options.blobStorageConnectorType ?? "blob-storage");
         this._identityConnector = IdentityConnectorFactory.get(options.identityConnectorType ?? "identity");
         this._taskSchedulerComponent = ComponentFactory.get(options.taskSchedulerComponentType ?? "task-scheduler");
         this._config = {
-            synchronisedStorageKey: options.config.synchronisedStorageKey,
             synchronisedStorageMethodId: options.config.synchronisedStorageMethodId ?? "synchronised-storage-assertion",
             entityUpdateIntervalMinutes: options.config.entityUpdateIntervalMinutes ??
                 SynchronisedStorageService._DEFAULT_ENTITY_UPDATE_INTERVAL_MINUTES,
@@ -1218,8 +1621,12 @@ class SynchronisedStorageService {
             consolidationIntervalMinutes: options.config.consolidationIntervalMinutes ??
                 SynchronisedStorageService._DEFAULT_CONSOLIDATION_INTERVAL_MINUTES,
             consolidationBatchSize: options.config.consolidationBatchSize ??
-                SynchronisedStorageService._DEFAULT_CONSOLIDATION_BATCH_SIZE
+                SynchronisedStorageService._DEFAULT_CONSOLIDATION_BATCH_SIZE,
+            blobStorageEncryptionKeyId: options.config.blobStorageEncryptionKeyId ?? "synchronised-storage-blob-encryption-key",
+            verifiableStorageKeyId: options.config.verifiableStorageKeyId
         };
+        this._synchronisedStorageKey =
+            verifiableStorageKeys[options.config.verifiableStorageKeyId] ?? options.config.verifiableStorageKeyId;
         // If this is not a trusted node, we need to use a synchronised storage service
         // to synchronise with a trusted node.
         if (!this._config.isTrustedNode) {
@@ -1227,12 +1634,13 @@ class SynchronisedStorageService {
             this._trustedSynchronisedStorageComponent =
                 ComponentFactory.get(options.trustedSynchronisedStorageComponentType);
         }
-        this._changeSetHelper = new ChangeSetHelper(this._logging, this._eventBusComponent, this._blobStorageComponent, this._identityConnector, this._config.synchronisedStorageMethodId);
+        this._blobStorageHelper = new BlobStorageHelper(this._logging, this._vaultConnector, this._blobStorageConnector, this._config.blobStorageEncryptionKeyId, this._config.isTrustedNode);
+        this._changeSetHelper = new ChangeSetHelper(this._logging, this._eventBusComponent, this._identityConnector, this._blobStorageHelper, this._config.synchronisedStorageMethodId);
         this._localSyncStateHelper = new LocalSyncStateHelper(this._logging, this._localSyncSnapshotEntryEntityStorage, this._changeSetHelper);
-        this._remoteSyncStateHelper = new RemoteSyncStateHelper(this._logging, this._eventBusComponent, this._blobStorageComponent, this._verifiableSyncPointerStorageConnector, this._changeSetHelper, this._config.synchronisedStorageKey);
+        this._remoteSyncStateHelper = new RemoteSyncStateHelper(this._logging, this._eventBusComponent, this._verifiableSyncPointerStorageConnector, this._blobStorageHelper, this._changeSetHelper, this._config.isTrustedNode);
         this._serviceStarted = false;
         this._activeStorageKeys = {};
-        this._eventBusComponent.subscribe(SynchronisedStorageTopics.RegisterStorageKey, async (event) => this.registerType(event.data));
+        this._eventBusComponent.subscribe(SynchronisedStorageTopics.RegisterStorageKey, async (event) => this.registerStorageKey(event.data));
         this._eventBusComponent.subscribe(SynchronisedStorageTopics.LocalItemChange, async (event) => this._localSyncStateHelper.addLocalChange(event.data.storageKey, event.data.operation, event.data.id));
     }
     /**
@@ -1245,7 +1653,16 @@ class SynchronisedStorageService {
     async start(nodeIdentity, nodeLoggingConnectorType, componentState) {
         this._nodeIdentity = nodeIdentity;
         this._remoteSyncStateHelper.setNodeIdentity(nodeIdentity);
+        this._changeSetHelper.setNodeIdentity(nodeIdentity);
+        this._remoteSyncStateHelper.setSynchronisedStorageKey(this._synchronisedStorageKey);
         this._serviceStarted = true;
+        // If this is not a trusted node we need to request the decryption key from a trusted node
+        if (!this._config.isTrustedNode && !Is.empty(this._trustedSynchronisedStorageComponent)) {
+            const proof = await this._identityConnector.createProof(this._nodeIdentity, DocumentHelper.joinId(this._nodeIdentity, this._config.synchronisedStorageMethodId), ProofTypes.DataIntegrityProof, { nodeIdentity });
+            const decryptionKey = await this._trustedSynchronisedStorageComponent.getDecryptionKey(this._nodeIdentity, proof);
+            // We don't have the private key so instead we store the key as a secret in the vault
+            await this._vaultConnector.setSecret(this._config.blobStorageEncryptionKeyId, decryptionKey);
+        }
         // If there are already storage keys registered, we need to activate them
         for (const storageKey in this._activeStorageKeys) {
             await this.activateStorageKey(storageKey);
@@ -1266,24 +1683,59 @@ class SynchronisedStorageService {
         }
     }
     /**
-     * Synchronise a complete set of changes, assumes this is a trusted node.
-     * @param changeSetStorageId The id of the change set to synchronise in blob storage.
+     * Get the decryption key for the synchronised storage.
+     * This is used to decrypt the data stored in the synchronised storage.
+     * @param nodeIdentity The identity of the node requesting the decryption key.
+     * @param proof The proof of the request so we know the request is from the specified node.
+     * @returns The decryption key.
+     */
+    async getDecryptionKey(nodeIdentity, proof) {
+        if (!this._config.isTrustedNode) {
+            throw new GeneralError(this.CLASS_NAME, "notTrustedNode");
+        }
+        Guards.stringValue(this.CLASS_NAME, "nodeIdentity", nodeIdentity);
+        Guards.object(this.CLASS_NAME, "proof", proof);
+        const isValid = await this._identityConnector.verifyProof({ nodeIdentity }, proof);
+        if (!isValid) {
+            throw new UnauthorizedError(this.CLASS_NAME, "invalidProof");
+        }
+        // TODO: We need to check if the node has permissions to access the decryption key
+        // using rights-management
+        const key = await this._vaultConnector.getKey(this._config.blobStorageEncryptionKeyId);
+        if (Is.undefined(key.publicKey)) {
+            throw new UnauthorizedError(this.CLASS_NAME, "decryptionKeyNotFound");
+        }
+        return Converter.bytesToBase64(key.publicKey);
+    }
+    /**
+     * Synchronise a set of changes from an untrusted node, assumes this is a trusted node.
+     * @param syncChangeSet The change set to synchronise.
      * @returns Nothing.
      */
-    async syncChangeSet(changeSetStorageId) {
+    async syncChangeSet(syncChangeSet) {
         if (!this._config.isTrustedNode) {
             throw new GeneralError(this.CLASS_NAME, "notTrustedNode");
         }
-        // This method is called by non trusted nodes to synchronise changes
-        Guards.stringValue(this.CLASS_NAME, "changeSetStorageId", changeSetStorageId);
+        Guards.object(this.CLASS_NAME, "syncChangeSet", syncChangeSet);
+        await this._logging?.log({
+            level: "info",
+            source: this.CLASS_NAME,
+            message: "syncChangeSetForRemoteNode",
+            data: {
+                changeSetStorageId: syncChangeSet.id
+            }
+        });
         // TODO: The change set has a proof signed by the originating node identity
         // The proof is verified that the change set is valid and has not been tampered with.
         // but we also need to check that the originating node has permissions
         // to store the change set in the synchronised storage.
         // This will be performed using rights-management
-        const changeSet = await this._changeSetHelper.getAndApplyChangeset(changeSetStorageId);
-        if (!Is.empty(changeSet)) {
-            await this._remoteSyncStateHelper.addChangeSetToSyncState(changeSet.storageKey, changeSetStorageId);
+        const copy = await this._changeSetHelper.copyChangeset(syncChangeSet);
+        if (!Is.empty(copy) && Is.stringValue(this._nodeIdentity)) {
+            // Apply the changes to this node
+            await this._changeSetHelper.applyChangeset(copy.syncChangeSet);
+            // And update the sync state with the latest changes
+            await this._remoteSyncStateHelper.addChangeSetToSyncState(copy.syncChangeSet.storageKey, copy.changeSetStorageId);
         }
     }
     /**
@@ -1339,7 +1791,7 @@ class SynchronisedStorageService {
             const remoteSyncState = await this._remoteSyncStateHelper.getRemoteSyncState(verifiableSyncPointerStore.syncPointers[storageKey]);
             // If we got the sync state we can try and sync from it
             if (!Is.undefined(remoteSyncState)) {
-                await this._localSyncStateHelper.syncFromRemote(storageKey, remoteSyncState);
+                await this._localSyncStateHelper.applySyncState(storageKey, remoteSyncState);
             }
         }
     }
@@ -1359,38 +1811,51 @@ class SynchronisedStorageService {
         });
         const localChangeSnapshot = await this._localSyncStateHelper.getLocalChangeSnapshot(storageKey);
         if (Is.arrayValue(localChangeSnapshot.changes)) {
-            await this._remoteSyncStateHelper.createAndStoreChangeSet(storageKey, localChangeSnapshot.changes, async (changeSetStorageId) => {
-                if (Is.stringValue(changeSetStorageId)) {
+            await this._remoteSyncStateHelper.buildChangeSet(storageKey, localChangeSnapshot.changes, async (syncChangeSet, changeSetStorageId) => {
+                if (Is.empty(syncChangeSet) && Is.empty(changeSetStorageId)) {
                     await this._logging?.log({
                         level: "info",
                         source: this.CLASS_NAME,
-                        message: "createdStorageChangeSet",
+                        message: "builtStorageChangeSetNone",
+                        data: {
+                            storageKey
+                        }
+                    });
+                }
+                else {
+                    await this._logging?.log({
+                        level: "info",
+                        source: this.CLASS_NAME,
+                        message: "builtStorageChangeSet",
                         data: {
                             storageKey,
                             changeSetStorageId
                         }
                     });
                     // Send the local changes to the remote storage if we are a trusted node
-                    if (this._config.isTrustedNode) {
+                    if (this._config.isTrustedNode && Is.stringValue(changeSetStorageId)) {
+                        // If we are a trusted node, we can add the change set to the sync state
+                        // and remove the local change snapshot
                         await this._remoteSyncStateHelper.addChangeSetToSyncState(storageKey, changeSetStorageId);
                         await this._localSyncStateHelper.removeLocalChangeSnapshot(localChangeSnapshot);
                     }
-                    else if (!Is.empty(this._trustedSynchronisedStorageComponent)) {
+                    else if (!Is.empty(this._trustedSynchronisedStorageComponent) &&
+                        Is.object(syncChangeSet)) {
                         // If we are not a trusted node, we need to send the changes to the trusted node
-                        await this._trustedSynchronisedStorageComponent.syncChangeSet(changeSetStorageId);
+                        // and then remove the local change snapshot
+                        await this._logging?.log({
+                            level: "info",
+                            source: this.CLASS_NAME,
+                            message: "sendingChangeSetToTrustedNode",
+                            data: {
+                                storageKey,
+                                changeSetStorageId
+                            }
+                        });
+                        await this._trustedSynchronisedStorageComponent.syncChangeSet(syncChangeSet);
                         await this._localSyncStateHelper.removeLocalChangeSnapshot(localChangeSnapshot);
                     }
                 }
-                else {
-                    await this._logging?.log({
-                        level: "info",
-                        source: this.CLASS_NAME,
-                        message: "createdStorageChangeSetNone",
-                        data: {
-                            storageKey
-                        }
-                    });
-                }
             });
         }
         else {
@@ -1413,17 +1878,16 @@ class SynchronisedStorageService {
     async startConsolidationSync(storageKey) {
         let localChangeSnapshot;
         try {
-            // If we are performing a consolidation, we can remove the local changes
-            await this._localSyncStateHelper.getLocalChangeSnapshot(storageKey);
+            // If we are performing a consolidation, we can remove the local change snapshot
+            // as we are going to create a complete changeset from the DB
+            localChangeSnapshot = await this._localSyncStateHelper.getLocalChangeSnapshot(storageKey);
             if (!Is.empty(localChangeSnapshot)) {
                 await this._localSyncStateHelper.removeLocalChangeSnapshot(localChangeSnapshot);
             }
-            if (Is.stringValue(this._nodeIdentity)) {
-                await this._remoteSyncStateHelper.consolidateFromLocal(storageKey, this._config.consolidationBatchSize ??
-                    SynchronisedStorageService._DEFAULT_CONSOLIDATION_BATCH_SIZE);
-                // The consolidation was successful, so we can remove the local change snapshot permanently
-                localChangeSnapshot = undefined;
-            }
+            await this._remoteSyncStateHelper.consolidationStart(storageKey, this._config.consolidationBatchSize ??
+                SynchronisedStorageService._DEFAULT_CONSOLIDATION_BATCH_SIZE);
+            // The consolidation was successful, so we can remove the local change snapshot permanently
+            localChangeSnapshot = undefined;
         }
         catch (error) {
             if (localChangeSnapshot) {
@@ -1440,22 +1904,22 @@ class SynchronisedStorageService {
     }
     /**
      * Register a new sync type.
-     * @param syncRegisterType The sync register type to register.
+     * @param syncRegisterStorageKey The sync register type to register.
      * @internal
      */
-    async registerType(syncRegisterType) {
+    async registerStorageKey(syncRegisterStorageKey) {
         await this._logging?.log({
             level: "info",
             source: this.CLASS_NAME,
-            message: "registerType",
+            message: "registerStorageKey",
             data: {
-                storageKey: syncRegisterType.storageKey
+                storageKey: syncRegisterStorageKey.storageKey
             }
         });
-        if (Is.empty(this._activeStorageKeys[syncRegisterType.storageKey])) {
-            this._activeStorageKeys[syncRegisterType.storageKey] = false;
+        if (Is.empty(this._activeStorageKeys[syncRegisterStorageKey.storageKey])) {
+            this._activeStorageKeys[syncRegisterStorageKey.storageKey] = false;
             if (this._serviceStarted) {
-                await this.activateStorageKey(syncRegisterType.storageKey);
+                await this.activateStorageKey(syncRegisterStorageKey.storageKey);
             }
         }
     }
@@ -1469,7 +1933,7 @@ class SynchronisedStorageService {
             await this._logging?.log({
                 level: "info",
                 source: this.CLASS_NAME,
-                message: "activateType",
+                message: "activateStorageKey",
                 data: {
                     storageKey
                 }
@@ -1495,4 +1959,4 @@ class SynchronisedStorageService {
     }
 }
 
-export { SyncSnapshotEntry, SynchronisedStorageService, generateRestRoutesSynchronisedStorage, initSchema, restEntryPoints, synchronisedStorageSyncChangeSetRequest, tagsSynchronisedStorage };
+export { SyncSnapshotEntry, SynchronisedStorageService, generateRestRoutesSynchronisedStorage, initSchema, restEntryPoints, synchronisedStorageGetDecryptionKeyRequest, synchronisedStorageSyncChangeSetRequest, tagsSynchronisedStorage };