Tenzro CloudDocs

Cryptography

Post-quantum cryptographic primitives, key management, and secure storage for building security-first applications.

Supported Algorithms

CategoryAlgorithmsUse Case
SignaturesEd25519, secp256k1, DilithiumDigital signatures
Key ExchangeX25519, KyberSecure key agreement
EncryptionAES-256-GCM, ChaCha20-Poly1305Data encryption
HashingBlake3, SHA-256, SHA-3Data integrity
BLSBLS12-381Aggregate signatures

Key Generation

import { Tenzro } from '@tenzro/cloud';


const client = new Tenzro({
  apiKey: process.env.TENZRO_API_KEY,
});


// Create AES key for symmetric encryption
const aesKey = await client.security.createKey({
  type: 'AES',
  size: 256,
  name: 'my-encryption-key',
});


// Create RSA keypair
const rsaKey = await client.security.createKey({
  type: 'RSA',
  size: 2048,
  name: 'my-rsa-key',
});


// Create EC keypair
const ecKey = await client.security.createKey({
  type: 'EC',
  curve: 'P-256',
  name: 'my-ec-key',
});


// Create post-quantum KYBER keypair
const kyberKey = await client.security.createKey({
  type: 'KYBER',
  variant: 'KYBER768', // or KYBER1024
  name: 'my-pq-key',
});

Digital Signatures

// Sign data with RSA or EC key
const signature = await client.security.sign({
  keyId: rsaKey.id,
  data: messageBytes,
  algorithm: 'RSA-PSS',
});


// Verify signature
const isValid = await client.security.verify({
  keyId: rsaKey.id,
  data: messageBytes,
  signature,
  algorithm: 'RSA-PSS',
});


console.log('Valid:', isValid); // true

Encryption & Decryption

// Symmetric encryption (AES-256-GCM)
const encrypted = await client.security.encrypt({
  keyId: aesKey.id,
  plaintext: 'sensitive data',
  algorithm: 'AES-GCM',
});


console.log('Ciphertext:', encrypted.ciphertext);
console.log('IV:', encrypted.iv);


// Decrypt
const decrypted = await client.security.decrypt({
  keyId: aesKey.id,
  ciphertext: encrypted.ciphertext,
  iv: encrypted.iv,
  algorithm: 'AES-GCM',
});


console.log('Plaintext:', decrypted.plaintext);

Hashing

// Hash data with SHA-256
const hash = await client.security.hash({
  data: 'input data',
  algorithm: 'SHA-256',
});


console.log('Hash:', hash.digest);


// HMAC (keyed hash)
const hmac = await client.security.hmac({
  keyId: aesKey.id,
  data: 'message to authenticate',
  algorithm: 'HMAC-SHA256',
});


console.log('HMAC:', hmac.signature);

Key Derivation

// Derive key from password using PBKDF2
const derivedKey = await client.security.deriveKey({
  password: 'user-password',
  salt: 'random-salt',
  algorithm: 'PBKDF2',
  iterations: 100000,
  keyLength: 256,
});


console.log('Derived Key:', derivedKey.key);

Post-Quantum Cryptography

Future-proof your security with quantum-resistant algorithms using KYBER Key Encapsulation Mechanism (KEM):

// Create post-quantum KYBER keypair
const kyberKey = await client.security.createKey({
  type: 'KYBER',
  variant: 'KYBER768', // or KYBER1024 for higher security
  name: 'pq-key',
});


// Encapsulation: Generate shared secret and ciphertext
const encapsulated = await client.security.encapsulate({
  keyId: kyberKey.id,
});


console.log('Ciphertext:', encapsulated.ciphertext);
console.log('Shared Secret:', encapsulated.sharedSecret);


// Decapsulation: Recover shared secret from ciphertext
const decapsulated = await client.security.decapsulate({
  keyId: kyberKey.id,
  ciphertext: encapsulated.ciphertext,
});


console.log('Recovered Secret:', decapsulated.sharedSecret);


// Use shared secret for symmetric encryption
const encrypted = await client.security.encrypt({
  plaintext: 'quantum-safe message',
  key: decapsulated.sharedSecret,
  algorithm: 'AES-GCM',
});

Key Exchange with Post-Quantum KEM

// Alice creates a KYBER key
const aliceKey = await client.security.createKey({
  type: 'KYBER',
  variant: 'KYBER768',
  name: 'alice-key',
});


// Bob encapsulates with Alice's public key
const bobEncaps = await client.security.encapsulate({
  keyId: aliceKey.id,
});


// Bob sends ciphertext to Alice
// Alice decapsulates with her private key
const aliceDecaps = await client.security.decapsulate({
  keyId: aliceKey.id,
  ciphertext: bobEncaps.ciphertext,
});


// Both parties now share the same secret
console.log('Secrets match:',
  bobEncaps.sharedSecret === aliceDecaps.sharedSecret);

Random Number Generation

// Generate cryptographically secure random bytes
const random = await client.security.randomBytes({
  length: 32,
});


console.log('Random bytes:', random.bytes);

Key Management

// List all keys
const keys = await client.security.listKeys();


for (const key of keys.items) {
  console.log(`Key: ${key.name} (Type: ${key.type}, ID: ${key.id})`);
}


// Get key details
const keyInfo = await client.security.getKey(aesKey.id);


console.log('Key metadata:', keyInfo.metadata);
console.log('Created at:', keyInfo.createdAt);


// Update key metadata
await client.security.updateKey(aesKey.id, {
  metadata: { purpose: 'database encryption' },
});


// Delete a key
await client.security.deleteKey(aesKey.id);

Best Practices

  • Use AES-256-GCM for symmetric encryption (authenticated)
  • Use RSA-PSS or EC (P-256) for digital signatures
  • Use KYBER for post-quantum key exchange
  • Use SHA-256 or SHA-512 for cryptographic hashing
  • Store keys securely - never expose private keys
  • Rotate encryption keys regularly
  • Use secure enclaves for hardware-protected keys
  • Enable key versioning for compliance requirements