With an exponential increase in data being generated, stored and shared online, the issue of data security no longer belongs to IT alone. Software and application developers have been put on notice along with business owners and legal teams worldwide to not only maintain data privacy but to build more secure products. There’s no easy solution. However, there are resources readily available for devs to build security into the fabric of their products. One is called OpenTDF, an open source project that lets you integrate encryption and data policy controls into your new and existing apps to safeguard your data, and the sharing of it, for you as well as your users.
What’s TDF, and Why Should I Use OpenTDF?
TDF, the “trusted data format,” was originally developed by the United States National Security Agency (NSA). It’s an open standard for object-level encryption that keeps data protected and under the data owner’s control, wherever it’s created or shared. TDF includes cryptographically secured metadata that ensures consistent policy control throughout the data life cycle. Picture this: You can grant, revoke or “turn off” data access at any time, even if the data has left your network or application.
OpenTDF is an open source project that evolves the open TDF specification and provides a blueprint for getting started. There are a multitude of example applications that demonstrate the implementation logic, as well as streaming video and IoT use cases.
The OpenTDF project is based on Kubernetes and OCI containers, and there is a quick start guide to get you up and running with a development environment. The quick start process will install supplemental services like Keycloak as well as project-specific services like key access service (KAS) and Abacus (an ABAC front end for configuration and management of attribute-based access control). Once you’ve completed a quick start installation, you’ll have a basic OpenTDF cluster with a Keycloak identity provider, PostgreSQL data store and a single entry point at localhost with an Nginx ingress controller.
There’s an architectural diagram available on GitHub to see all of the services and service interactions.
Take OpenTDF for a Spin: Secure Remote Storage
Have you ever wondered how to make data access secure and simple? Using OpenTDF, developers can create that experience for their users. Let’s walk through a sample web application that uses OpenTDF to encrypt and upload data to cloud storage.
The application we’ll be using is called OpenTDF Secure Remote Storage. It’s a react-based example that shows developers how to create encrypted data streams. These streams allow you to upload and download files from S3-compatible remote data stores while maintaining data protection. You can even remove encryption if needed.
To make things easy, we’ll be using OpenTDF’s client-web SDK, which authenticates against Keycloak using OpenID Connect (OIDC). Keep in mind that this example runs on your local machine. It’s not designed for cloud or enterprise services.
Prerequisites: You’ll need an S3-compatible storage object, like an Amazon S3 bucket. (You can create one for free here.)
Set it Up
First, install two CLI tools: Kind and Tilt. These will be used to deploy the OpenTDF services to your local machine. If you’re on macOS, you can install them with a simple Homebrew command:
brew install kind tilt.
Next, you will need the sample code on your local machine. You can either download the zip or clone the OpenTDF GitHub Repository using the following command:
git clone [email protected]:opentdf/opentdf.git. This will create a directory called “opentdf” in your current location.
Now, navigate to the root directory of the sample application:
cd opentdf/examples/secure-remote-storage. To deploy OpenTDF, you’ll need a local Kubernetes cluster. Use the Kind CLI to create one:
kind create cluster --name opentdf.
Finally, start the application using Tilt:
tilt up. This will launch the necessary OpenTDF services.
Steps to Run the Application
1. To begin, go to http://localhost:65432/secure-remote-storage in your web browser. This is where the Secure Remote Storage webpage is hosted.
2. Now, it’s time to log in. Use the following credentials (defined in the bootstrap’s config file):
○ Username: user1
○ Password: testuser123
3. Then, choose a file from your computer to upload. It can be anything – a text file, a PDF, or an image. Let your creativity flow! If you don’t have a file handy, no worries. You can download an image by right-clicking on it and selecting “Save As” from this link.
4. Next, tell the application where to store your encrypted file. Provide the necessary JSON object that defines your S3-compatible object store. You can refer to the prerequisites for more details. (Optionally, you can save the configuration for future uploads. Just give it a name and click “Save.” This way, you won’t need to define the object store again in the future.)
5. Now, it’s time to encrypt and upload. Click the “encrypt and upload” button, and watch the magic happen!
What’s happening behind the scenes? When you click “encrypt and upload,” the application uses the OpenTDF API to convert your selected file into a .tdf file. It applies AES-GCM encryption and attaches access controls to ensure that only authorized users, like you (in this case, testuser123), can access the data. Even if your data store is public, your data remains secure.
6. Ready to view and download your uploaded file? The table on the webpage lists all the files you’ve successfully uploaded. Each file has a download button next to it. Click that button, and the hosted file will be downloaded and decrypted on your local file system.
Excited to explore more? Now that you’ve seen OpenTDF in action, you can dive into the source code of this application. Use this sample application as a starting point to integrate OpenTDF into your own secure applications.
What Else is Possible With OpenTDF?
From a secure webcam app to a privacy-forward menstrual tracking app and more, the possibilities are endless with OpenTDF and the future is in developers’ hands. By building on OpenTDF, the valuable data flowing through your applications will be protected forever.
Cassandra Zimmerman, technical product manager at Virtru, contributed to this article.