Skip to main content

Encrypting data

Depending on the language, multiple data formats can be encrypted - strings, files or simply just byte arrays.

We provide two methods to encrypt the data: encrypt and encryptValues.

The following workflow is applied when encrypting data:

  1. A list of user ids (specified in a temporary token) is sent to blindnet to obtain the corresponding public keys
  2. An ephemeral symmetric key is generated
  3. Data is encrypted with the symmetric key
  4. For each public key, the symmetric key is encrypted
  5. A list of encrypted symmetric keys is sent to blindnet

Encryption is completed by a user of your application (registered or unregistered) to another registered user. A user does not need to be logged in to blindnet to encrypt the data. Data can be encrypted for a single user, a list of users or a user group.

In the current api, the encryption destination is specified in the Server SDK.

To encrypt the data, the client SDK needs to be initialized with the temporary token which contains information to whom the data is encrypted (user group or a list of users). To encrypt to a different destination, a new token needs to be generated.

To encrypt the data for a specific user, obtain a temporary token using the following Server SDK method:

$userIds = ['1', '2', '3']
$tempUserJwt = $blindnet->createTempUserToken($userIds);

To encrypt the data for a group, obtain a temporary token using the following server SDK method:

$groupId = '1'
$tempUserJwt = $blindnet->createTempUserToken($groupId);


This method encrypts the entire data passed as a parameter. Depending on the language, multiple formats are supported.
Besides the data, a metadata can be passed as a second argument. It can be any JSON serializable object.

data can be string, File, Uint8Array or ArrayBuffer Other formats should be encoded to Uint8Array or ArrayBuffer. You can put the information on how to decode the data into the metadata.

// pass a temp user token generated in the server SDK
const blindnet = Blindnet.init(tempUserJwt);
// e.g. data is a file
// const data = document.getElementById('file-picker').files[0]
const { dataId, encryptedData } = await blindnet.encrypt(data, metadata);

encryptedData has a type ArrayBuffer.


To be easily transferred, encryptedData can be encoded to base64 or hexadecimal string.

import { util } from '@blindnet/sdk-javascript';

const base64Encoded = util.toBase64(encryptedData);
const hexEncoded = util.toHex(encryptedData);

dataId and encryptedData should be stored by you.
dataId is used to delete the keys from blindnet using the server SDK. To decrypt encryptedData, pass it to the decrypt method.

Currently, encryption of streams is not supported so the entire data is loaded into the memory and then encrypted. Make sure your application does not run out of memory if e.g. large files are passed to the encrypt method.