Encryption/Decryption
All data encrypted by ZeroKit is bound to a tresor, in that all current users of a tresor can decrypt any data encrypted by that tresor, even if it was encrypted before the user was added to it without reencryption. Removed users lose access to the keys necessary to decrypt data immediately after the kick operation was approved and they can't decrypt any data encrypted by that tresor in the future even if they saved/stored their keys. In the sdk the keys cached, but the keys used for encryption has to be refreshed from the server at most 5 seconds before use.
Text/stringified data
encrypt(tresorId: string, plainText: string): Promise<string>
Encrypts the plaintext by the given tresor.
Parameters:
- tresorId: The id of the tresor, that will be used to encrypt the text
- plainText: The plainText to encrypt
Returns:
Promise<string>: Resolves to the cipher text. It contains the tresorId, so the it can be decrypted by itself.
Rejections:
| Code | Reason |
|---|---|
| BadInput | The tresorId and plainText has to be a non-empty string |
| BadInput | Invalid tresorId |
| TresorNotExists | Couldn't find a tresor by the given id |
| CallerUserIsNotMemberOfTresor | This user does not have access to the tresor |
decrypt(cipherText: string): Promise<string>
Decrypts the given cipherText
Parameters:
- cipherText: ZeroKit encrypted text
Returns:
Promise<string>: Resolves to the plain text.
Rejections:
| Code | Reason |
|---|---|
| BadInput | Invalid cipherText |
| BadInput | Invalid tresorId |
| CallerUserIsNotMemberOfTresor | This user does not have access to the tresor |
File/Blob
encryptBlob(tresorId: string, plainText: Blob): Promise<Blob>
Encrypts the plaintext Blob or File by the given tresor.
Parameters:
- tresorId: The id of the tresor, that will be used to encrypt the text
- plainText: The plainText Blob or File object to encrypt
Returns:
Promise<Blob>: Resolves to the encrypted blob. It contains the tresorId, so the it can be decrypted by itself.
Rejections:
| Code | Reason |
|---|---|
| BadInput | The tresorId has to be a non-empty string and plainText has to be a Blob or File |
| BadInput | Invalid tresorId |
| TresorNotExists | Couldn't find a tresor by the given id |
| CallerUserIsNotMemberOfTresor | This user does not have access to the tresor |
decryptBlob(cipherText: Blob): Promise<Blob>
Decrypts the given encrypted Blob.
Parameters:
- cipherText: ZeroKit encrypted Blob or File
Returns:
Promise<Blob>: Resolves to the decrypted Blob.
Rejections:
| Code | Reason |
|---|---|
| BadInput | Invalid cipherText |
| CallerUserIsNotMemberOfTresor | This user does not have access to the tresor |
Uint8Array
encryptBytes(tresorId: string, plainBytes: Uint8Array): Promise<Uint8Array>
Encrypts the plaintext bytes by the given tresor.
Parameters:
- tresorId: The id of the tresor, that will be used to encrypt the text
- plainBytes: The data to encrypt in a Uint8Array format.
Returns:
Promise<Uint8Array>: Resolves to the encrypted blob. It contains the tresorId, so the it can be decrypted by itself.
Rejections:
| Code | Reason |
|---|---|
| BadInput | The tresorId has to be a non-empty string. plainText has to be a Blob or File |
| BadInput | Invalid tresorId |
| TresorNotExists | Couldn't find a tresor by the given id |
| CallerUserIsNotMemberOfTresor | This user does not have access to the tresor |
decryptBytes(cipherBytes: Uint8Array): Promise<Uint8Array>
Decrypts the given encrypted bytes.
Parameters:
- cipherBytes: ZeroKit encrypted data in a Uint8Array
Returns:
Promise<Uint8Array>: Resolves to the decrypted Blob.
Rejections:
| Code | Reason |
|---|---|
| BadInput | Invalid cipherBytes |
| CallerUserIsNotMemberOfTresor | This user does not have access to the tresor |