Simple Round-Trip Example
In order to run this example, you need to be running a Tenant Security Proxy (TSP) on your machine.
Check the README.md file in the parent directory to see how to start the TSP, if you haven't done so
yet.
Once the TSP is running, you can experiment with this example Go program. It illustrates the basics of how
to use the Tenant Security Client (TSC) SDK to encrypt and decrypt data. The example code shows two scenarios:
- encryption and decryption of a record that you might store in a key-value store or a database
- encryption and decryption of a file, using the file-system for storage
To run the example, you will need to have Go 1.17+ installed on your computer.
export API_KEY='0WUaXesNgbTAuLwn'
go run .
We've assigned an API key for you, but in production you will make your own and edit the TSP
configuration with it. This should produce output like:
Using tenant tenant-gcp-l
Decrypted SSN: 000-12-2345
Decrypted address: 2825-519 Stone Creek Rd, Bozeman, MT 59715
Decrypted name: Jim Bridger
Wrote encrypted file to success.jpg.enc
Wrote edek to success.jpg.edek
Wrote decrypted file to decrypted.jpg
The decrypted output is printed after round-tripping encryption and decryption of the customer record.
If you look in the current directory, you'll find a success.jpg file. The example code encrypted
that file to produce a success.jpg.enc file containing the encrypted file data, and a second file
success.jpg.edek that contains the Encrypted Data Encryption Key (EDEK) that is required to
decrypt the file. It then used that EDEK to decrypt the .enc file, writing a decrypted.jpg file.
If you do a cksum success.jpg decrypted.jpg
, you can confirm that the decrypted file is identical
to the original.
When you run the example, you should see a number of INFO outputs generated by your TSP indicating
that it was wrapping a new DEK using the KMS, then unwrapping an EDEK.
If you would like to experiment with a different tenant, just do:
export API_KEY='0WUaXesNgbTAuLwn'
export TENANT_ID=<selected-tenant-ID>
go run .
The list of available tenants is listed in the README.md in the parent directory.
If you set the tenant to tenant-gcp-l and run the program, then compare the logs generated by the
TSP to the logs generated when you use tenant-gcp, you can see the difference
between using a KMS configuration that has key leasing enabled vs. one that does not.
Additional Resources
If you would like some more in-depth information, our website features a section of technical
documentation about the SaaS Shield product.