rekey-example

Re-key Example

In order to run this example, you need to be running a Tenant Security Proxy (TSP) on your machine. Check the README.md file in the parent directory to see how to start the TSP, if you haven't done so yet.

Once the TSP is running, you can experiment with this example Go program. It illustrates the basics of how to use the Tenant Security Client (TSC) re-key function. The example code contains 3 parts:

1. Encryption of a file for tenant-gcp, using the filesystem for storage
2. Reading the EDEK from the filesystem, re-keying it to tenant-aws, then storing it again
3. Reading the new EDEK from the filesystem then using it to decrypt the document for tenant-aws

To run the example, you will need to have Go 1.17+ installed on your computer.

export API_KEY='0WUaXesNgbTAuLwn'
go run .

We've assigned an API key for you, but in production you will make your own and edit the TSP configuration with it.

This example should produce output like:

Wrote encrypted file to success.jpg.enc
Wrote EDEK to success.jpg.edek
Rekeyed EDEK to tenant-aws
Wrote tenant-aws EDEK to success.jpg.edek
Decrypted file for tenant-aws
Wrote decrypted file to decrypted.jpg

If you look in the current directory, you'll find a success.jpg file. The example code encrypted that file to produce a success.jpg.enc file containing the encrypted file data, and a second file success.jpg.edek that contains the Encrypted Data Encryption Key (EDEK) that is required to decrypt the file. It then used that EDEK to decrypt the .enc file, writing a decrypted.jpg file.

If you do a cksum success.jpg decrypted.jpg, you can confirm that the decrypted file is identical to the original.

When you run the example, you should see a number of INFO outputs generated by your TSP indicating that it was wrapping a new DEK using the KMS, re-keying to a new tenant, and unwrapping an EDEK.

Additional Resources

If you would like some more in-depth information, our website features a section of technical documentation about the SaaS Shield product.