A pure Go implementation of the OpenTDF specification for data-centric encryption.
This is a fork of opentdf/spec that adds a complete Go library for encrypting and decrypting data using the OpenTDF and NanoTDF formats.
- Zero network dependencies - Pure cryptographic operations, no HTTP clients
- Streaming I/O -
io.Reader/io.Writerinterfaces for memory-efficient large file handling - OpenTDF format - ZIP-based container with JSON manifest
- NanoTDF format - Compact binary format for constrained environments
- Key management - DEK generation, wrapping, unwrapping, rewrapping, and splitting
- Agnostic naming - Uses "Authority" and "Locator" instead of "KAS" and "URL" for decentralized systems
go get github.com/alecsavvy/opentdfimport (
"github.com/alecsavvy/opentdf/pkg/crypto"
"github.com/alecsavvy/opentdf/pkg/opentdf"
)
// Generate authority key
authorityKey, _ := crypto.GenerateRSAKeyPair(2048)
// Encrypt
tdfData, _ := opentdf.Encrypt(plaintext, opentdf.EncryptConfig{
Locator: "my-authority-id",
AuthorityPublicKey: &authorityKey.PublicKey,
})
// Decrypt
decrypted, _ := opentdf.Decrypt(tdfData, opentdf.DecryptConfig{
PrivateKey: authorityKey,
})See examples/ for more detailed usage.
| Package | Description |
|---|---|
pkg/opentdf |
OpenTDF encryption/decryption (ZIP + JSON manifest) |
pkg/nanotdf |
NanoTDF compact binary format |
pkg/crypto |
Cryptographic primitives (AES-GCM, RSA-OAEP, ECC, HMAC) |
pkg/dek |
DEK generation, wrapping, splitting |
pkg/manifest |
Manifest struct definitions |
go run ./examples/basic/ # Encrypt/decrypt round-trip
go run ./examples/streaming/ # Large file streaming
go run ./examples/key_management/ # Wrap, unwrap, rewrap, split
go run ./examples/nanotdf/ # NanoTDF compact formatThis library implements OpenTDF Specification v4.3.0.