SDSDK Documentation 3.0.0

Function: ztdfDecrypt(sdsdkDecryptParameters: ZtdfDecryptParameters)

The ztdfDecrypt function decrypts data that was previously encrypted using the Zero Trust Data Format (ZTDF).

WARNING

Data encrypted with SDSDK v2 and earlier versions cannot be decrypted with newer versions. To upgrade, first decrypt the data using the previous version of SDSDK, then re-encrypt it using latest version of SDSDK.

Description

This function takes encrypted ZTDF data as input and performs decryption operations. It communicates with a Key Access Service (KAS) for key retrieval and uses a validator engine to ensure the integrity of the data manifest.

symmetric_kas protocol

Decrypt schema

kas protocol

Decrypt asym schema

NOTE

Automatic Protocol Detection:

The decryption process is driven by the information contained within the ZTDF manifest itself. The manifest specifies which key access protocol (kas or symmetric_kas) was used during encryption, along with the KAS endpoint URL.

This is why you do not need to provide these details as parameters to the ztdfDecrypt function. The SDK automatically reads the manifest and follows the correct procedure to unwrap the key and decrypt the data, simplifying the developer's task.

Parameters

sdsdkDecryptParameters: object containing decryption parameters.

sdsdkZtdf

  • Type: SdsdkZtdf
  • Description: ZTDF object containing encrypted data.

kas.authentication.mode

  • Type: string
  • Description: Authentication mode ("basic" or "bearer"). For more information refer to Authentication setup.

kas.authentication.value

  • Type: string
  • Description: Authentication value (API key or JWT value). For more information refer to Authentication setup.

Return

Promise containing decryption result:

data

  • Type: Uint8Array
  • Description: Decrypted data.

How ABAC works

During decryption, the attributes specified during encryption are sent to the KMaaS, which sends them to the policy server (see KMaaS documentation). You can write your own rules to authorize or deny decryption.

Example

javascript
import { SdsdkZtdf, ztdfDecrypt } from 'sdsdk';

const jsonData = {
  metadata: {
    version: 1,
  },
  payload: new TextEncoder().encode('Data to be decrypted'),
  manifest: {
    // Manifest properties
  },
};

const sdsdkZtdf = SdsdkZtdf.fromJson(jsonData);

const decrypted = await ztdfDecrypt({
  sdsdkZtdf: sdsdkZtdf,
  kas: {
    authentication: {
      mode: 'basic',
      value: 'dGVzdEFwaUtleTpvY2dZ...L0x4Vw==',
    },
  },
});

console.log(new TextDecoder().decode(decrypted.data));