Guides

Go SDK

You can use our Go SDK to:

  • Encrypt data server-side including files
  • Decrypt data server-side
  • Invoke Functions
  • Invoke Cages
  • Proxy requests through Outbound Relay

Encrypting/Decrypting data with our backend SDKs instead of Inbound Relay may expose you to greater compliance burden because because your server handles plaintext data.

Instead you can:

  • Use an Inbound Relay to encrypt data before it reaches your server.
  • Use an Outbound Relay to decrypt data before it reaches a third-party service.
  • Use our client-side SDKs to encrypt data before sending it to your server.

Quickstart

Install SDK

rivest:~$
go get github.com/evervault/evervault-go

Initialize SDK

Now, let's initialize the SDK using our App's ID and API key. If you don't have one yet, you can get one by creating an App in the Evervault Dashboard.

1
import "github.com/evervault/evervault-go"
2
3
evClient, err := evervault.MakeClient("<APP_ID>", "<API_KEY>")

Encrypt a string

Now that the SDK is initialized, we can encrypt a string.

1
encrypted := evClient.Encrypt("Hello, world!");

Decrypt data

Decrypt data previously encrypted using the Encrypt() function or through Relay.

An API key with the decrypt permission must be used to perform this operation.

1
encrypted := evClient.Encrypt("Hello, world!");
2
3
dataToDecrypt := make(map[string]any);
4
dataToDecrypt["encryptedData"] = encrypted;
5
6
decrypted := evClient.Decrypt(dataToDecrypt);

Decrypting data with our backend SDKs is not available if you are part of the PCI or HIPAA compliance use cases

Instead you can:

Creating Client Side Decrypt Tokens

Client Side Decrypt Tokens are versatile and short-lived tokens that frontend applications can utilise to decrypt data previously encrypted through Evervault. Client Side Decrypt Tokens are restricted to specific payloads.

By default, a Client Side Decrypt Token will live for 5 minutes into the future. The maximum time to live of the token is 10 minutes into the future.

1
token := evClient.CreateClientSideDecryptToken(encryptedData)
Parameters
payloadRequiredany

The payload containing encrypted data that the token will be used to decrypt.

expirytime.Time

The time the token will expire.

Construct a http.Client configured for Outbound Relay

The returned client is configured to proxy requests through Outbound Relay, enabling decryption of data before it reaches the requests destination.

1
outboundRelayClient, err := evClient.OutboundRelayClient()
2
3
payload, err := json.Marshal(fmt.Sprintf(`{"encrypted": "%s"}`, encrypted))
4
if err != nil {
5
log.Fatal(err)
6
}
7
8
resp, err := outboundRelayClient.Post("https://example.com/", "application/json", bytes.NewBuffer(payload))

Construct a http.Client for connecting to a Cage

The returned client will be configured to connect to the cage and attest the connection on each request with the pcrs provided.

1
cageURL = "my_cage.<APP_UUID>.cages.evervault.com"
2
expectedPCRs := evervault.PCRs{PCR8: "..."}
3
4
cageClient, err := evClient.CageClient(cageURL, []evervault.PCRs{expectedPCRs})
5
if err != nil {
6
log.Fatal(err)
7
}
8
9
payload, err := json.Marshal(fmt.Sprintf(`{"encrypted": "%s"}`, encrypted))
10
if err != nil {
11
log.Fatal(err)
12
}
13
14
req, _ := http.NewRequest(http.MethodPost, fmt.Sprintf("https://%s/", cageURL), bytes.NewBuffer(payload))
15
req.Close = true
16
req.Header.Set("API-KEY", "<API_KEY>")
17
req.Header.Set("Content-Type", "application/json; charset=UTF-8")
18
19
resp, err := cageClient.Do(req)

Full example

Pulling all of this together leaves us with the following working example. You can copy and paste the code below (using a sandbox API key), run it in your own environment and run the encryption for yourself.

1
import (
2
"bytes"
3
"encoding/json"
4
"fmt"
5
"net/http"
6
"log"
7
"github.com/evervault/evervault-go"
8
)
9
10
func main() {
11
evClient, err := evervault.MakeClient("<APP_ID>", "<API_KEY>")
12
if err != nil {
13
log.Fatal(err)
14
}
15
16
encrypted, err := evClient.Encrypt("Hello, world!")
17
if err != nil {
18
log.Fatal(err)
19
}
20
21
decrypted, err := evClient.Decrypt(encrypted)
22
if err != nil {
23
log.Fatal(err)
24
}
25
26
// Send the decrypted data to a third-party API
27
outboundRelayClient, err := evClient.OutboundRelayClient()
28
if err != nil {
29
log.Fatal(err)
30
}
31
32
payload, err := json.Marshal(fmt.Sprintf(`{"encrypted": "%s"}`, encrypted))
33
if err != nil {
34
log.Fatal(err)
35
}
36
37
resp, err := outboundRelayClient.Post("https://example.com/", "application/json", bytes.NewBuffer(payload))
38
if err != nil {
39
log.Fatal(err)
40
}
41
42
log.Printf("Outbound Response Status: %s", resp.StatusCode)
43
44
cageURL := "my_cage.<APP_UUID>.cages.evervault.com"
45
expectedPCRs := evervault.PCRs{PCR8: "..."}
46
47
cageClient, err := evClient.CageClient(cageURL, []evervault.PCRs{expectedPCRs})
48
if err != nil {
49
log.Fatal(err)
50
}
51
52
payload := []byte(`{"name": "Claude"}`)
53
54
req, _ := http.NewRequest(http.MethodPost, fmt.Sprintf("https://%s/", cageURL), bytes.NewBuffer(payload))
55
req.Close = true
56
req.Header.Set("API-KEY", "<API_KEY>")
57
req.Header.Set("Content-Type", "application/json; charset=UTF-8")
58
59
resp, err := cageClient.Do(req)
60
if err != nil {
61
log.Fatal(err)
62
}
63
64
log.Printf("Cage Response Status: %s", resp.StatusCode)
65
}

Reference

The full reference is available on Go pkg