Client-side JS Access Controls

No one can predict the future. Access controls let you change your mind about who has access and under what conditions.

Grant Access

Let’s say Bob enters your circle of trust. If you grant him access, he can decrypt your sensitive data.

// Grant existing policy
let client;

// assumes Virtru auth widget
function afterAuth(email) {
  client = new Virtru.Client({ email });
}

async function grantAccess(protectedFile) {
  // get policy
  const params = new Virtru.DecryptParamsBuilder()
    .withArrayBufferSource(protectedFile)
    .build();
  const policyId = await client.getPolicyId(params);
  const existingPolicy = await client.fetchPolicy(policyId);

  // update users
  const initialUsers = await existingPolicy.getUsersWithAccess();
  console.log("Initial users with access: " + initialUsers);
  const users = ["[email protected]"];
  const updatedPolicy = existingPolicy
    .builder()
    .addUsersWithAccess(users)
    .build();
  await client.updatePolicy(updatedPolicy);
  console.log(`Granted access to users: ${users} on encrypted file`);
}

You can also grant access before you encrypt:

// Grant new policy
let client;

// assumes Virtru auth widget
function afterAuth(email) {
  client = new Virtru.Client({ email });
}

async function protectWithAccess(unprotectedString) {
  let unprotectedFile = "sensitive.txt";

  // prepare policy
  const users = ["[email protected]"];
  const policy = new Virtru.PolicyBuilder().addUsersWithAccess(users).build();
  const encryptParams = new Virtru.EncryptParamsBuilder()
    .withStringSource(unprotectedString)
    .withDisplayFilename(unprotectedFile)
    .withPolicy(policy)
    .build();

  // encrypt
  const protectedStream = await client.encrypt(encryptParams);
  let protectedExt = ".tdf.html"; // HTML format
  const protectedFile = unprotectedFile + protectedExt;
  await protectedStream.toFile(protectedFile);
  console.log(
    `Encrypted file ${protectedFile} and granted access to users: ${users}`
  );
}

Revoke Access

Let’s say Bob leaves your circle of trust. It’d be great if he no longer had access to your sensitive data. Revoke will prevent Bob from decrypting your sensitive data:

// Revoke access
let client;

// assumes Virtru auth widget
function afterAuth(email) {
  client = new Virtru.Client({ email });
}

async function revokeAccess(protectedFile) {
  // get policy
  const params = new Virtru.DecryptParamsBuilder()
    .withArrayBufferSource(protectedFile)
    .build();
  const policyId = await client.getPolicyId(params);
  const existingPolicy = await client.fetchPolicy(policyId);

  // revoke access for user(s)
  const users = ["[email protected]"];
  const updatedPolicy = existingPolicy
    .builder()
    .removeUsersWithAccess(users)
    .build();
  await client.updatePolicy(updatedPolicy);
  console.log(`Revoked access from users: ${users} on encrypted file`);
}

You will still have access to your sensitive data.

Revoke All Access

Let’s say you landed a new job, Alice. Well done! But your circle of trust becomes outdated. Rather than removing every Bob from accessing your sensitive data, you can remove everyone with revoke all:

// Revoke all access
let client;

// assumes Virtru auth widget
function afterAuth(email) {
  client = new Virtru.Client({ email });
}

async function revokeAll(protectedFile) {
  // get policy
  const decryptParams = new Virtru.DecryptParamsBuilder()
    .withArrayBufferSource(protectedFile)
    .build();
  const policyId = await client.getPolicyId(decryptParams);

  // revoke access for all users
  await client.revokePolicy(policyId);
  console.log(`Revoked access for all users on encrypted file`);
}

You will still have access to your sensitive data.

Expire Access

Some things aren’t meant to last. Your landlord, Trent, shouldn’t have access to the sensitive data in your lease forever. Let’s make sure your sensitive data expires in a year when your lease does:

// Expire access with relative datetime
let client;

// assumes Virtru auth widget
function afterAuth(email) {
  client = new Virtru.Client({ email });
}

async function expireRelative(protectedFile) {
  // get policy
  const decryptParams = new Virtru.DecryptParamsBuilder()
    .withArrayBufferSource(protectedFile)
    .build();
  const policyId = await client.getPolicyId(decryptParams);
  const existingPolicy = await client.fetchPolicy(policyId);

  // expire access
  const secondsInYear = 60 * 60 * 24 * 365; // min * hour * day * year;
  const updatedPolicy = existingPolicy
    .builder()
    .enableExpirationDeadlineFromNow(secondsInYear)
    .build();
  await client.updatePolicy(updatedPolicy);
  console.log(`Expire access to encrypted file in ${secondsInYear} seconds`);
}

You can also expire at a specific date and time:

// Expire access with specific datetime
let client;

// assumes Virtru auth widget
function afterAuth(email) {
  client = new Virtru.Client({ email });
}

async function expireSpecific(protectedFile) {
  // get policy
  const decryptParams = new Virtru.DecryptParamsBuilder()
    .withArrayBufferSource(protectedFile)
    .build();
  const policyId = await client.getPolicyId(decryptParams);
  const existingPolicy = await client.fetchPolicy(policyId);

  // expire access
  const expiresOn = "2022-08-12T14:37:26.101Z"; // ISO-8601 Format
  const updatedPolicy = existingPolicy
    .builder()
    .enableExpirationDeadline(expiresOn)
    .build();
  await client.updatePolicy(updatedPolicy);
  console.log(`Expire access to encrypted file on ${expiresOn}`);
}

Expiration prevents everyone else on the policy from decrypting after that time. You will still have access.

Make the same expiration calls to update dates or times.

If you’re feeling permissive, you can always remove expiration too:

// Remove access expiration
let client;

// assumes Virtru auth widget
function afterAuth(email) {
  client = new Virtru.Client({ email });
}

async function expireDisable(protectedFile) {
  // get policy
  const decryptParams = new Virtru.DecryptParamsBuilder()
    .withArrayBufferSource(protectedFile)
    .build();
  const policyId = await client.getPolicyId(decryptParams);
  const existingPolicy = await client.fetchPolicy(policyId);

  // remove access expiration
  const updatedPolicy = existingPolicy
    .builder()
    .disableExpirationDeadline()
    .build();
  await client.updatePolicy(updatedPolicy);
  console.log(`Removed access expiration on encrypted file`);
}

Watermark Access

Trust doesn’t have to be absolute. If you want Bob to access your sensitive data, but discourage him from sharing it, you can enable watermarking:

// Enable access watermark
let client;

// assumes Virtru auth widget
function afterAuth(email) {
  client = new Virtru.Client({ email });
}

async function watermarkEnable(protectedFile) {
  // get policy
  const decryptParams = new Virtru.DecryptParamsBuilder()
    .withArrayBufferSource(protectedFile)
    .build();
  const policyId = await client.getPolicyId(decryptParams);
  const existingPolicy = await client.fetchPolicy(policyId);

  // watermark access
  const updatedPolicy = existingPolicy
    .builder()
    .enableWatermarking()
    .build();
  await client.updatePolicy(updatedPolicy);
  console.log(`Enabled watermark when accessing encrypted file`);
}

This option only applies in Virtru’s Secure Reader, where Bob’s email address will always overlay the decrypted sensitive data.

To disable watermarking:

// Disable access watermark
let client;

// assumes Virtru auth widget
function afterAuth(email) {
  client = new Virtru.Client({ email });
}

async function watermarkDisable(protectedFile) {
  // get policy
  const decryptParams = new Virtru.DecryptParamsBuilder()
    .withArrayBufferSource(protectedFile)
    .build();
  const policyId = await client.getPolicyId(decryptParams);
  const existingPolicy = await client.fetchPolicy(policyId);

  // watermark access
  const updatedPolicy = existingPolicy
    .builder()
    .disableWatermarking()
    .build();
  await client.updatePolicy(updatedPolicy);
  console.log(`Disabled watermark when accessing encrypted file`);
}

Did this page help you?