Stormshield SDK v5.0.0

Stormshield SDK – Basic Example

This page walks you through a complete end‑to‑end example that shows how to use the Stormshield SDK for:

  • Client‑Side Encryption (CSE) and decryption,
  • Attribute‑Based Access Control (ABAC) across multiple Key Access Servers (KAS),
  • Dynamic KAS selection using a permissive mapping.

The example is located in the repository under examples/base/ and can be executed with Docker Compose.

View example on Github

1️⃣ Purpose

The basic example demonstrates how to:

  • Configure the SDK with two remote KAS instances (Alice‑Company and Bob‑Company).
  • Encrypt files for specific KAS based on a data attribute (releasableTo).
  • File decryption by authorized users.
  • Example of file decryption by an unauthorized user.

2️⃣ SDK Configuration – 1_sdk-configuration.ts

View the source file

Two remote KAS are defined, and a permissive mapping links the releasableTo attribute to the corresponding KAS IDs.

3️⃣ Dynamic KAS Selection

During encryption, the SDK reads the dataAttributes you provide. For each attribute, based on the mapping defined above, it automatically selects one or several KAS that should protect the DEK. In permissive mode the selected KAS are combined with OR logic – any of them can later unwrap the DEK.

4️⃣ Encryption Script – 2_encrypt.ts

View the source file

The script produces two .ztdf archives stored in examples/base/data.

5️⃣ Decryption Script – 3_decrypt.ts

View the source file

The SDK automatically selects the KAS that matches the attributes stored in the manifest.

6️⃣ ABAC Enforcement / PDP denial example – 4_pdp-denial.ts

View the source file

Because the PDP policy (see next section) requires the team attribute to match the data attribute, the decryption attempt is rejected, illustrating high-granularity ABAC.

7️⃣ Policy Files

ABAC policies are written in Rego and stored under pdp/policies/rules/:

  • alice_kas.rego
  • bob_kas.rego

Each rule checks that the requesting user’s team attribute matches the releasableTo attribute stored in the manifest.

8️⃣ Key Takeaway

By combining data attributes with a permissive mapping, the SDK automatically selects one or several appropriate KAS at encryption time and enforces high-granularity, policy‑driven access control during decryption.