Go

Encrypting/Decrypting data with our backend SDKs may expose you to greater compliance burden because your server needs to handle plaintext data. Instead, we recommend using Relay or our Client-Side SDKs to encrypt data.

Getting started

Install the SDK

1go get github.com/evervault/evervault-go

Initialize the SDK

Now, let's initialize the SDK using our App's ID and API key. If you don't have one yet, you can get one by creating an App in the Evervault Dashboard.

1import "github.com/evervault/evervault-go"
2
3evClient, err := evervault.MakeClient("<APP_ID>", "<API_KEY>")

Encrypt a string

Now that the SDK is initialized, we can encrypt a string.

1encrypted := evClient.Encrypt("Hello, world!");

Connecting to an Enclave

The returned client will be configured to connect to the Enclave and attest the connection on each request with the pcrs provided.

1enclaveURL = "my-enclave.<APP_UUID>.enclave.evervault.com"
2expectedPCRs := evervault.PCRs{PCR8: "..."}
3
4enclaveClient, err := evClient.EnclaveClient(
5    enclaveURL,
6    []evervault.PCRs{expectedPCRs}
7)
8
9if err != nil {
10    log.Fatal(err)
11}
12
13payload, err := json.Marshal(fmt.Sprintf(`{"encrypted": "%s"}`, encrypted))
14if err != nil {
15    log.Fatal(err)
16}
17
18req, _ := http.NewRequest(
19    http.MethodPost,
20    fmt.Sprintf("https://%s/", enclaveURL
21    ),
22    bytes.NewBuffer(payload)
23)
24req.Close = true
25req.Header.Set("API-KEY", "<API_KEY>")
26req.Header.Set("Content-Type", "application/json; charset=UTF-8")
27
28resp, err := enclaveClient.Do(req)

To keep your clients in sync with your Enclave across deployments, you can use the EnclaveClientWithProvider. This allows you to define a callback function which returns a list of PCRs. This can be used to load the latest set of PCRs for your Deployed Enclave from a trusted source without a redeploy of your client.

1import (
2    "github.com/evervault/evervault-go",
3    "github.com/evervault/evervault-go/attestation"
4)
5
6evClient, err := evervault.MakeClient("<APP_ID>", "<API_KEY>")
7if err != nil {
8    log.Fatal(err)
9}
10
11enclaveURL = "my-enclave.<APP_UUID>.enclave.evervault.com"
12expectedPCRs := attestation.PCRs{PCR8: "..."}
13
14func GetPCRsFromApi() ([]attestation.PCRs, error) {
15  // Logic to load PCRs from an API/CDN etc.
16  return pcrs, nil
17}
18
19enclaveClient, err := evClient.EnclaveClientWithProvider(enclaveURL, GetPCRsFromApi)
20if err != nil {
21    log.Fatal(err)
22}
23
24payload, err := json.Marshal(fmt.Sprintf(`{"encrypted": "%s"}`, encrypted))
25if err != nil {
26    log.Fatal(err)
27}
28
29req, _ := http.NewRequest(
30    http.MethodPost,
31    fmt.Sprintf("https://%s/", enclaveURL),
32    bytes.NewBuffer(payload)
33)
34req.Close = true
35req.Header.Set("API-KEY", "<API_KEY>")
36req.Header.Set("Content-Type", "application/json; charset=UTF-8")
37
38resp, err := enclaveClient.Do(req)

Reference

The full reference is available on Go pkg.

Encrypt

Encrypts data using Evervault Encryption. Evervault Strings can be used across all of our products. The encrypted data can be stored in your database as normal and can be used with any of Evervault’s other services.

1encrypted := evClient.Encrypt("Hello, world!");

Parameters

dataRequired
The data to encrypt.

Decrypt

Decrypt data previously encrypted with the Encrypt function or through Relay. An API key with the decrypt permission must be used to perform this operation.

1encrypted := evClient.Encrypt("Hello, world!");
2
3dataToDecrypt := make(map[string]any);
4dataToDecrypt["encryptedData"] = encrypted;
5
6decrypted := evClient.Decrypt(dataToDecrypt);

PCI Compliance

Decrypting data with our backend SDKs is not available if you are part of the PCI or HIPAA compliance use cases. Instead you can:

Use Relay to decrypt data before it reaches third-party services.
Use Functions or Enclaves to process encrypted data.

CreateClientSideDecryptToken

Client Side Decrypt Tokens are versatile and short-lived tokens that frontend applications can utilise to decrypt data previously encrypted through Evervault. Client Side Decrypt Tokens are restricted to specific payloads.

By default, a Client Side Decrypt Token will live for 5 minutes into the future. The maximum time to live of the token is 10 minutes into the future.

1token := evClient.CreateClientSideDecryptToken(encryptedData)

Parameters

payloadRequiredstring
The payload containing encrypted data that the token will be used to decrypt.
expirytime.Time
The time the token will expire. Defaults to 5 minutes in the future.

RunFunction

Invoke an Evervault Function with a given payload.

1result := evClient.RunFunction(functionName, payload)

Parameters

functionNameRequiredstring
The name of the function to invoke.
payloadRequiredmap[string]any
The payload containing encrypted data that will be passed as an argument to the Function.

Go

Parameters

PCI Compliance

Parameters

Parameters

On this page