otdfctl encrypt

encrypt [file] - Encrypt file or stdin as a TDF

Synopsis

otdfctl encrypt [flags]

Description

Build a Trusted Data Format (TDF) with encrypted content from a specified file or input from stdin utilizing OpenTDF platform.

Examples

Various ways to encrypt a file

# output to stdout
otdfctl encrypt hello.txt

# output to hello.txt.tdf
otdfctl encrypt hello.txt --out hello.txt.tdf

# encrypt piped content and write to hello.txt.tdf
cat hello.txt | otdfctl encrypt --out hello.txt.tdf

Automatically append .tdf to the output file name

$ cat hello.txt | otdfctl encrypt --out hello.txt; ls
hello.txt  hello.txt.tdf

$ cat hello.txt | otdfctl encrypt --out hello.txt.tdf; ls
hello.txt  hello.txt.tdf

Advanced piping is supported

$ echo "hello world" | otdfctl encrypt | otdfctl decrypt | cat
hello world

Attributes

Attributes can be added to the encrypted data. The attribute value is a Fully Qualified Name (FQN) that is used to restrict access to the data based on entity entitlements.

# output to hello.txt.tdf with attribute
otdfctl encrypt hello.txt --out hello.txt.tdf --attr https://example.com/attr/attr1/value/value1

NanoTDF

NanoTDF is a lightweight TDF format that is more performant and has a smaller footprint than ZTDF. NanoTDF does not support structured manifests or large payloads.

# output to nano.tdf
otdfctl encrypt hello.txt --tdf-type nano --out hello.txt.tdf

ZTDF Assertions (experimental)

Assertions are a way to bind metadata to the TDF data object in a cryptographically secure way.

STANAG 5636

The following example demonstrates how to bind a STANAG 5636 metadata assertion to the TDF data object.

otdfctl encrypt hello.txt --out hello.txt.tdf --with-assertions '[{"id":"assertion1","type":"handling","scope":"tdo","appliesToState":"encrypted","statement":{"format":"json+stanag5636","schema":"urn:nato:stanag:5636:A:1:elements:json","value":"{\"ocl\":\"2024-10-21T20:47:36Z\"}"}}]'

Options

-o, --out <out>: The output file TDF in the current working directory instead of stdout ('-o file.txt' and '-o file.txt.tdf' both write the TDF as file.txt.tdf). (required: false)

-a, --attr <attr>: Attribute value Fully Qualified Names (FQNs, i.e. 'https://example.com/attr/attr1/value/value1') to apply to the encrypted data. (required: false)

--mime-type <mime-type>: The MIME type of the input data. If not provided, the MIME type is inferred from the input data. (required: false)

-t, --tdf-type <tdf-type>: The type of tdf to encrypt as. ZTDF supports structured manifests and larger payloads. NanoTDF has a smaller footprint and more performant, but does not support structured manifests or large payloads. (tdf3 is an alias for ztdf) (required: false) (default: ztdf)

--ecdsa-binding <ecdsa-binding>: For nano type containers only, enables ECDSA policy binding (required: false)

--kas-url-path <kas-url-path>: URL path to the KAS service at the platform endpoint domain. Leading slash is required if needed. (required: false) (default: /kas)

--with-assertions <with-assertions>: EXPERIMENTAL: JSON string of assertions to bind metadata to the TDF. See examples for more information. (required: false)

Synopsis

Description

Examples​

Attributes​

NanoTDF​

ZTDF Assertions (experimental)​

STANAG 5636​