Creating TDF's
Encrypting / Decrypting zTDF
- Go
- Java
- Typescript
package main
import (
"bytes"
"log"
"strings"
"github.com/opentdf/platform/sdk"
)
func main() {
log.Println("🚀 Starting OpenTDF example...")
platformEndpoint := "http://localhost:9002"
log.Printf("📡 Connecting to platform: %s", platformEndpoint)
// Create a new client
log.Println("🔐 Initializing new SDK client...")
client, err := sdk.New(
platformEndpoint,
sdk.WithClientCredentials("opentdf", "secret", nil),
)
if err != nil {
log.Fatalf("❌ Client initialization failed: %v", err)
}
// Encrypt ztdf
log.Println("📝 Preparing sensitive data for encryption...")
str := strings.NewReader("Sensitive data!")
buf := &bytes.Buffer{}
log.Println("🔒 Encrypting data...")
manifest, err := client.CreateTDF(buf, str,
//sdk.WithDataAttributes("https://opentdf.io/attr/role/value/developer"),
sdk.WithKasInformation(
sdk.KASInfo{
URL: platformEndpoint,
},
),
)
if err != nil {
log.Fatalf("❌ Encryption failed: %v", err)
}
log.Println("✅ Data successfully encrypted")
log.Printf("📋 TDF Manifest details:\n\n%v\n\n", manifest)
// Decrypt ztdf
log.Println("🔓 Decrypting data...")
tdfReader, err := client.LoadTDF(bytes.NewReader(buf.Bytes()))
if err != nil {
log.Fatalf("❌ Decryption failed: %v", err)
}
// Create a buffer to capture the decrypted data
var decryptedBuf bytes.Buffer
if _, err = tdfReader.WriteTo(&decryptedBuf); err != nil {
log.Fatalf("❌ Failed to write decrypted data: %v", err)
}
log.Printf("📤 Decrypted content: \n\n%s\n\n", decryptedBuf.String())
log.Println("✅ Example complete!")
}
package io.opentdf.platform;
import io.opentdf.platform.sdk.*;
import java.io.ByteArrayInputStream;
import java.io.BufferedOutputStream;
import java.nio.charset.StandardCharsets;
import java.io.FileOutputStream;
import com.nimbusds.jose.JOSEException;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.nio.file.StandardOpenOption;
import java.nio.channels.FileChannel;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.text.ParseException;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import org.apache.commons.codec.DecoderException;
public class EncryptExample {
public static void main(String[] args) throws IOException, JOSEException, AutoConfigureException, InterruptedException, ExecutionException {
String clientId = "opentdf";
String clientSecret = "secret";
String platformEndpoint = "localhost:8080";
SDKBuilder builder = new SDKBuilder();
SDK sdk = builder.platformEndpoint(platformEndpoint)
.clientSecret(clientId, clientSecret).useInsecurePlaintextConnection(true)
.build();
var kasInfo = new Config.KASInfo();
kasInfo.URL = "http://localhost:8080/kas";
var tdfConfig = Config.newTDFConfig(Config.withKasInformation(kasInfo), Config.withDataAttributes("https://mynamespace.com/attr/test/value/test1"));
String str = "Hello, World!";
var in = new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8));
FileOutputStream fos = new FileOutputStream("my.ciphertext");
new TDF().createTDF(in, fos, tdfConfig, sdk.getServices().kas(), sdk.getServices().attributes());
Path path = Paths.get("my.ciphertext");
try (var in = FileChannel.open(path, StandardOpenOption.READ)) {
var reader = new TDF().loadTDF(in, sdk.getServices().kas());
reader.readPayload(System.out);
}
}
}
import { AuthProviders, NanoTDFClient } from '@opentdf/sdk';
// Configuration Options
const kasEndpoint = "https://kas.example.com";
// Authentication options (vary by middleware)
const oidcOrigin = "https://idp.example.com";
const clientId = "applicationNameFromIdP";
const refreshToken = "userRefreshTokenValueFromIdP";
// AuthProviders are middlewares that add `Authorization` or other bearer tokens to requests.
// These include The `refresh` provider can be handed a refresh and optional access token.
const authProvider = await AuthProviders.refreshAuthProvider({
clientId,
exchange: 'refresh',
refreshToken,
oidcOrigin,
});
const client = new TDF3Client({
authProvider,
kasEndpoint,
});
// ABAC
const attributes = ["http://example.com/attr/classification/value/secret"]
// encrypt
const source = new ReadableStream({
pull(controller) {
controller.enqueue(new TextEncoder().encode(string));
controller.close();
},
});
const ciphertextStream = await client.encrypt({ offline: true, source, scope: {attributes} });
// decrypt
const plaintextStream = await client.decrypt({
source: { type: 'stream', location: ciphertextStream }
});
const plaintext = await plaintextStream.toString();