Select your use case to identify the correct primitive, then follow the link for guidance on using the primitive.
Encrypt data...
| Primitive | Details | |
|---|---|---|
| ...in standard sizes | Authenticated Encryption with Associated Data (AEAD) | - Suitable for most needs - Accepts plaintexts up to 232 bytes - Provides plaintext confidentiality and verifies integrity and authenticity |
| ...in large files or data streams | Streaming AEAD | - For data that is too large to be processed in a single step |
| ...deterministically | Deterministic AEAD | - Produces same ciphertext for a given plaintext and key |
| ...with keys protected by a KMS | Key Management System (KMS) Envelope AEAD | - Encrypts every plaintext with new AEAD key - Encrypts every AEAD key with KMS |
| ...with public key, decrypt data with private key | Hybrid Encryption |
- Not authenticated - Useful when senders cannot store secrets (private key) |
These primitives are all able to bind ciphertext to its context.
Ensure authenticity and integrity of data by...
| Primitive | Details | |
|---|---|---|
| ...creating and verifying MAC with one key | Message Authentication Code (MAC) | - Very fast - Only verifiable by parties who can also create MACs |
| ...creating signature with private key, verifying with public key | Digital Signature | - Verifiable by parties who cannot create signatures |
Miscellany
| Primitive | Details | |
|---|---|---|
| Create and verify JWTs | JSON Web Tokens (JWTs) | - Can additionally convert to / from JSON Web Key (JWK) format |
| Encrypt any primitive's keyset with a KMS | KMS-Encrypted Primitive | - Doesn't require interacting with the KMS every time the primitive is used (e.g. to encrypt a plaintext), unlike KMS Envelope AEAD |
Have a question?
Create an issue in the language-specific GitHub repository linked on the Tink organization page.