Python Access Controls

No one can predict the future. Access controls let you change your mind about who has access and under what conditions.

Grant Access

Let’s say Bob enters your circle of trust. If you grant him access, he can decrypt your sensitive data.

# Python Access Controls - Grant for existing policy
import os
from virtru_sdk import Client, Policy

# Load email and appId from environment variables
VIRTRU_SDK_EMAIL = os.getenv("VIRTRU_SDK_EMAIL")
VIRTRU_SDK_APP_ID = os.getenv("VIRTRU_SDK_APP_ID")
if not (VIRTRU_SDK_EMAIL and VIRTRU_SDK_APP_ID):
    raise EnvironmentError("An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID")

# Authenticate
client = Client(owner=VIRTRU_SDK_EMAIL, app_id=VIRTRU_SDK_APP_ID)

# Update policy to grant access to a user
policy = Policy()
policy.share_with_users(["[email protected]"])  # can also decrypt
client.update_policy_for_file(policy, "sensitive.txt.tdf.html")

You can also grant access before you encrypt:

# Python Access Controls - Grant with new policy
import os
from virtru_sdk import Client, Policy, EncryptFileParams

# Load email and appId from environment variables
VIRTRU_SDK_EMAIL = os.getenv("VIRTRU_SDK_EMAIL")
VIRTRU_SDK_APP_ID = os.getenv("VIRTRU_SDK_APP_ID")
if not (VIRTRU_SDK_EMAIL and VIRTRU_SDK_APP_ID):
    raise EnvironmentError("An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID")

# Authenticate
client = Client(owner=VIRTRU_SDK_EMAIL, app_id=VIRTRU_SDK_APP_ID)

# Create a policy to grant access to a user
policy = Policy()
policy.share_with_users(["[email protected]"])
unprotected_file = "sensitive.txt"
protected_file = unprotected_file + ".tdf.html"
param = EncryptFileParams(in_file_path=unprotected_file,
                          out_file_path=protected_file)
param.set_policy(policy)

# Encrypt
client.encrypt_file(encrypt_file_params=param)
print(f"Encrypted file {protected_file}")

Revoke Access

Let’s say Bob leaves your circle of trust. It’d be great if he no longer had access to your sensitive data. Revoke will prevent Bob from decrypting your sensitive data:

# Python Access Controls - Revoke
import os
from virtru_sdk import Client, Policy

# Load email and appId from environment variables
VIRTRU_SDK_EMAIL = os.getenv("VIRTRU_SDK_EMAIL")
VIRTRU_SDK_APP_ID = os.getenv("VIRTRU_SDK_APP_ID")
if not (VIRTRU_SDK_EMAIL and VIRTRU_SDK_APP_ID):
    raise EnvironmentError("An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID")

# Authenticate
client = Client(owner=VIRTRU_SDK_EMAIL, app_id=VIRTRU_SDK_APP_ID)

# Update policy to revoke access
policy = Policy()
policy.remove_users(['[email protected]'])  # can no longer decrypt, but you still can
client.update_policy_for_file(policy, "sensitive.txt.tdf.html")

You will still have access to your sensitive data.

Revoke All Access

Let’s say you landed a new job Alice. Well done! But your circle of trust becomes outdated. Rather than removing every Bob from accessing your sensitive data, you can remove everyone with revoke all:

# Python Access Controls - Revoke all
import os
from virtru_sdk import Client

# Load email and appId from environment variables
VIRTRU_SDK_EMAIL = os.getenv("VIRTRU_SDK_EMAIL")
VIRTRU_SDK_APP_ID = os.getenv("VIRTRU_SDK_APP_ID")
if not (VIRTRU_SDK_EMAIL and VIRTRU_SDK_APP_ID):
    raise EnvironmentError("An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID")

# Authenticate
client = Client(owner=VIRTRU_SDK_EMAIL, app_id=VIRTRU_SDK_APP_ID)

# Revoke access for everyone else, only you can decrypt
client.revoke_file("sensitive.txt.tdf.html")

You will still have access to your sensitive data.

Expire Access

Some things aren’t meant to last. Your landlord, Trent, shouldn’t have access to the sensitive data in your lease forever. Let’s make sure your sensitive data expires in a year when your lease does:

# Python Access Controls - Expire relative to now
import os
from virtru_sdk import Client, Policy, EncryptFileParams

# Load email and appId from environment variables
VIRTRU_SDK_EMAIL = os.getenv("VIRTRU_SDK_EMAIL")
VIRTRU_SDK_APP_ID = os.getenv("VIRTRU_SDK_APP_ID")
if not (VIRTRU_SDK_EMAIL and VIRTRU_SDK_APP_ID):
    raise EnvironmentError("An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID")

# Authenticate
client = Client(owner=VIRTRU_SDK_EMAIL, app_id=VIRTRU_SDK_APP_ID)

# Create policy with expiration
policy = Policy()
policy.expire_in_days(days=365)

# Encrypt with policy
unprotected_file = "lease.docx"
protected_file = unprotected_file + ".tdf.html"
param = EncryptFileParams(in_file_path=unprotected_file,
                          out_file_path=protected_file)
param.set_policy(policy)
client.encrypt_file(encrypt_file_params=param)
print(f"Encrypted file {protected_file}")

You can also expire at a specific date and time:

# Python Access Controls - Expire at specific time
import os
from virtru_sdk import Client, Policy, EncryptFileParams 

# Load email and appId from environment variables
VIRTRU_SDK_EMAIL = os.getenv("VIRTRU_SDK_EMAIL")
VIRTRU_SDK_APP_ID = os.getenv("VIRTRU_SDK_APP_ID")
if not (VIRTRU_SDK_EMAIL and VIRTRU_SDK_APP_ID):
    raise EnvironmentError("An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID")

# Authenticate
client = Client(owner=VIRTRU_SDK_EMAIL, app_id=VIRTRU_SDK_APP_ID)

# Create policy with expiration
policy = Policy()
policy.add_expiration("2022-08-12T14:37:26.101Z")  # ISO-8601 Format

# Encrypt with policy
unprotected_file = "lease.docx"
protected_file = unprotected_file + ".tdf.html"
param = EncryptFileParams(in_file_path=unprotected_file,
                          out_file_path=protected_file)
param.set_policy(policy)
client.encrypt_file(encrypt_file_params=param)
print(f"Encrypted file {protected_file}")

Expiration prevents everyone else on the policy from decrypting after that time. You will still have access.

Make the same expiration calls to update dates or times.

If you’re feeling permissive, you can always remove expiration too:

# Python Access Controls - Remove expiration
import os
from virtru_sdk import Client, Policy

# Load email and appId from environment variables
VIRTRU_SDK_EMAIL = os.getenv("VIRTRU_SDK_EMAIL")
VIRTRU_SDK_APP_ID = os.getenv("VIRTRU_SDK_APP_ID")
if not (VIRTRU_SDK_EMAIL and VIRTRU_SDK_APP_ID):
    raise EnvironmentError("An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID")

# Authenticate
client = Client(owner=VIRTRU_SDK_EMAIL, app_id=VIRTRU_SDK_APP_ID)

# Update policy expiration
policy = Policy()
policy.remove_expiration()
client.update_policy_for_file(policy, "lease.docx.tdf.html")

Watermark Access

Trust doesn’t have to be absolute. If you want Bob to access your sensitive data, but discourage him from sharing it, you can enable watermarking:

# Python Access Controls - Watermark
import os
from virtru_sdk import Client, Policy

# Load email and appId from environment variables
VIRTRU_SDK_EMAIL = os.getenv("VIRTRU_SDK_EMAIL")
VIRTRU_SDK_APP_ID = os.getenv("VIRTRU_SDK_APP_ID")
if not (VIRTRU_SDK_EMAIL and VIRTRU_SDK_APP_ID):
    raise EnvironmentError("An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID")

# Authenticate
client = Client(owner=VIRTRU_SDK_EMAIL, app_id=VIRTRU_SDK_APP_ID)

# Update policy watermark
policy = Policy()
policy.enable_watermarking()  # or policy.disable_watermarking()
client.update_policy_for_file(policy, "sensitive.txt.tdf.html")

This option only applies in Virtru’s Secure Reader, where Bob’s email address will always overlay the decrypted sensitive data.

To disable watermarking:

policy = Policy()
policy.disable_watermarking()
client.update_policy_for_file(policy, "sensitive.txt.tdf.html")

Did this page help you?