SDKs
Node.js SDK
You can use our Node.js SDK to:
- Encrypt data server-side
- Decrypt data server-side
- Invoke Functions
- Proxy requests through Relay
Encrypting/Decrypting data with our backend SDKs instead of Relay may expose you to greater compliance burden because your server handles plaintext data.
Instead you can:
- Use a Relay to encrypt data before it reaches your server.
- Use our client-side SDKs to encrypt data before sending it to your server.
Quickstart
Install SDK
First, let's install the Evervault SDK using your package manager of choice.
Initialize SDK
Now, let's initialize the SDK using our App's ID and our App's API key. If you don't have an API key yet, you can get one by creating an App in the Evervault Dashboard.
Encrypt a string
Now that the SDK is initialized, we can encrypt a string.
Configure Relay
Relay can be configured to proxy all traffic to a domain or specific requests. For all traffic to be proxied use the enableOutboundRelay
function. evervault.enableOutboundRelay()
.
To send an individual request via Relay, use evervault.createRelayHttpsAgent()
. This will return a HTTPSProxyAgent
that can be passed into supporting HTTP clients.
Full example
Pulling all of this together leaves us with the following working example. You can copy and paste the code below (using a sandbox API key and App ID), run it in your own environment and run the encryption for yourself.
Reference
new Evervault(appId, apiKey)
The SDK constructor accepts three parameters:
- Your App's ID
- Your App's API key
- Optional configuration parameters
Parameters
evervault.encrypt(data)
evervault.encrypt()
encrypts data using Evervault Encryption.
To encrypt strings using the Node.js SDK, simply pass a String
or an Object
into the evervault.encrypt()
function. To encrypt a file, pass a Buffer
.
The encrypted data can be stored in your database or file storage as normal. Evervault Strings can be used across all of our Primitives. Evervault File Encryption is currently in Beta, and files can only be decrypted with Relay.
evervault.decrypt(data)
evervault.decrypt()
decrypts data previously encrypted with the encrypt()
function or through Relay.
An API key with the decrypt
permission must be used to perform this operation.
evervault.createClientSideDecryptToken(payload, expiry)
Client Side Decrypt Tokens are versatile and short-lived tokens that frontend applications can utilise to decrypt data previously encrypted through Evervault. Client Side Decrypt Tokens are restricted to specific payloads.
By default, a Client Side Decrypt Token will live for 5 minutes into the future. The maximum time to live of the token is 10 minutes into the future.
Parameters
The payload containing encrypted data that the token will be used to decrypt.
evervault.run(functionName, data)
evervault.run()
lets you invoke an Evervault Function with a given payload
Parameters
Response
Successful Function runs will return an object containing a Function Run ID and the result from your Function in the following format:
evervault.createRunToken(data, options)
evervault.createRunToken()
creates a single use, time bound token (5 minutes) for invoking an Evervault Function with a given payload.
Run Tokens can be used to invoke an Evervault Function client-side without providing a sensitive API Key.
Parameters
Response
When you create a Run Token, the SDK will return a JSON object containing your token.
Run Tokens can then be used to authenticate Function runs from the client-side.
evervault.enableOutboundRelay(options)
Configures your application to proxy HTTP requests using Relay based on the configuration created in the Evervault dashboard. See Relay to learn more.
Parameters
Requests sent to any of the domains listed will be proxied through Relay. This will override the configuration created in the Evervault dashboard.
evervault.createRelayHttpsAgent()
The HTTPSProxyAgent
allows for more granular control over what requests gets sent through Relay. This can be passed to any client that supports the Node.js Agent as a parameter.
using HTTPSProxyAgent with Axios
Axios is configured in the following example to send a request through Relay.
evervault.createEnclaveHttpsAgent(enclaveAttestationData, evervaultAttestationBindings)
Returns a HTTPS Agent which can be used to attest all TLS connections to your Evervault Enclave. See Enclave's TLS Attestation to learn more.
Parameters
A mapping of Enclave names to their PCRs or Callbacks which resolve to PCRs. This is optional. When included, the connection will only be attested when the PCRs match exactly. The provided data can be either a single Object, or an Array of Objects to allow roll-over between different sets of PCRs. If not provided, the attestation doc and its signature will be validated but the PCRs will be ignored.
Using static PCRs
The most simple way to set up your Evervault client to attest Enclaves is to provide hardcoded PCRs. This approach is not recommended for production deployments, as your clients will fall out of sync from the Enclave during deployments. See our example of using the Evervault API as a provider for a more robust approach.
Using the Evervault API as a PCR Provider
The Evervault API exposes an endpoint to retrieve the PCRs for all active deployments of an Enclave. This can be used to keep your Client in sync with your Enclave across deployments.