Stay organized with collections
Save and categorize content based on your preferences.
Tink APIs take arbitrary binary blobs as input. This means that if you want to
encrypt structured data, like
protocol buffers, you need to
encode the data first.
Encrypt a protobuf
To encrypt:
Serialize the protobuf to a byte array.
Encrypt the serialized bytes, then store or send the resulting ciphertext.
Use:
Store the serialized bytes together with the signature (or MAC).
To verify:
Get the serialized protobuf and its signature (or MAC).
Verify the signature (or MAC).
Deserialize the protobuf.
Note that a valid signature or MAC does not guarantee that the data is correctly
formatted. An implementation that parses the data should always expect that the
data might be corrupt.
Protect multiple data items
To protect multiple data items, use a serialization method. Add all of the data
items to a protobuf, and encrypt (or authenticate) it as described above.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-11-14 UTC."],[[["\u003cp\u003eTink APIs accept arbitrary binary data as input, requiring serialization of structured data like Protocol Buffers before encryption.\u003c/p\u003e\n"],["\u003cp\u003eTink provides various encryption methods like AEAD, hybrid encryption, and deterministic AEAD to secure serialized data.\u003c/p\u003e\n"],["\u003cp\u003eTink supports data integrity through digital signatures and MACs, but verification doesn't guarantee data formatting.\u003c/p\u003e\n"],["\u003cp\u003eProtecting multiple data items involves serialization, preferably using Protocol Buffers or length-prefixed concatenation, followed by encryption or authentication.\u003c/p\u003e\n"]]],["Tink API handles binary blobs, requiring structured data like protocol buffers to be encoded first. To encrypt a protobuf, serialize it to bytes, then encrypt using AEAD, hybrid, or deterministic AEAD methods. Decryption involves decrypting the ciphertext and deserializing the protobuf. To protect from tampering, serialize, then sign or authenticate using digital signature or MAC, storing the signature with the data, verifying the signature before deserializing. Protecting multiple items requires serialization via a protobuf or a length-prefixed method, followed by encryption or authentication.\n"],null,["# I want to protect structured data\n\nTink APIs take arbitrary binary blobs as input. This means that if you want to\nencrypt structured data, like\n[protocol buffers](https://developers.google.com/protocol-buffers), you need to\nencode the data first.\n\nEncrypt a protobuf\n------------------\n\nTo encrypt:\n\n1. Serialize the protobuf to a byte array.\n2. Encrypt the serialized bytes, then store or send the resulting ciphertext. Use:\n - [Authenticated encryption with associated data (AEAD)](/tink/aead)\n - [Hybrid encryption](/tink/hybrid)\n - [Deterministic AEAD](/tink/deterministic-aead)\n\nTo decrypt:\n\n1. Decrypt the ciphertext.\n2. If Step 1 was successful, deserialize the protobuf.\n\nProtect a protobuf from tampering\n---------------------------------\n\nIn most cases, encrypting a protobuf is preferable to authentication alone.\n\nTo protect a protobuf from tampering:\n\n1. Serialize the protobuf to a byte array.\n2. Sign or authenticate the serialized bytes. Use:\n - [Digital signature](/tink/digital-signature)\n - [MAC](/tink/mac)\n3. Store the serialized bytes together with the signature (or MAC).\n\nTo verify:\n\n1. Get the serialized protobuf and its signature (or MAC).\n2. Verify the signature (or MAC).\n3. Deserialize the protobuf.\n\nNote that a valid signature or MAC does not guarantee that the data is correctly\nformatted. An implementation that parses the data should always expect that the\ndata might be corrupt.\n\nProtect multiple data items\n---------------------------\n\nTo protect multiple data items, use a serialization method. Add all of the data\nitems to a protobuf, and encrypt (or authenticate) it as described above.\n\nYou can also serialize as follows: \n\n serialize(data1 , data2 , ..., datan) = 4-byte-data1's length || data1 || 4-byte-data2's length || data2 || ... || 4-byte-dataN's length || dataN\n\n| **Warning:** Concatenating without a length prefix, like `data1 || data2 || ... || dataN`, can lead to vulnerabilities as the resulting encoding is ambiguous. For example if `data1 = \"foo\"` and `data2 = \"bar\"`, this would lead to the same encoded data as `data1 = \"fooba\"` and `data2 = \"r\"`.\n\nFinally, encrypt (or authenticate) the resulting byte array."]]