Groups
Seald supports groups. You can create a group which contains multiple users, so that you can easily encrypt data for all members of the group.
You can also easily add or remove members of the group. Of course, when you add members to a group, they immediately have access to data previously encrypted for the group; conversely, when you remove members from a group, they lose access to all the data encrypted for the group.
Creating a group
In order to create a group, you must use the method SealdSDK.createGroup.
const group = await seald.createGroup({
groupName: 'My super group', // will be displayed in the administration dashboard. This is just to help you locate the group. You can for example put the ID that your back-end has assigned to this group.
members: {
sealdIds: [mySealdId, otherUserSealdId] // all members of the group: the users who will be able to read the messages intended for the group. Must contain the user who is creating the group.
},
admins: {
sealdIds: [mySealdId] // the group administrators: the users who will be able to add/remove members to the group. Must contain the user who is creating the group.
}
})
// `group` is then `{ groupName: string, id: string }`.
// `group.groupName` is what you just assigned when creating the group, here `My super group`.
// `group.id` is the ID you can use in order to encrypt data for this group. It is a `sealdId`TIP
To accelerate the creation of groups, you can pre-generate the private keys by calling the seald.preGenerateIdentityKeys() function in advance.
Encrypting for a group
When a user encrypts data for a group, all members of the group can decrypt it.
const encryptedForGroup = await sealdSender.encryptFile( // a user encrypts for the group
'Secret file content',
'my_secret_file.txt',
{ sealdIds: [groupId] }
)
const decrypted = await sealdGroupMember.decryptFile(encryptedForGroup) // another SDK user, who is a member of the group, decrypts the data encrypted for the group
// Here, the user has decrypted the data, and we do have as expected `decrypted === 'Secret file content'`TIP
If you are encrypting for a group of which the user is a member, you can use the optional argumentencryptForSelf: false so that you do not encrypt directly for their own identities. The user will still be able to decrypt the data thanks to their group membership. This can allow you to improve the performance of the encryption.
Adding /removing group members
Group administrators can add and remove members to the group.
When a member is added to the group, they can then decrypt the data previously encrypted for that group.
await sealdGroupAdmin.addGroupMembers(groupId, { sealdIds: [newMemberSealdId] }) // only a group administrator can add members
const decrypted = await sealdNewMember.decryptFile(encryptedForGroup) // the newly added user can then decrypt the data previously encrypted for that groupConversely, when a member is removed from the group, they can no longer decrypt the data encrypted for that group.
In this case, and for more security, it is advisable to renew the group keys.
const decrypted = await sealdGroupMember.decryptFile(encryptedForGroup) // a group member can decrypt data encrypted for the group
await sealdGroupAdmin.removeGroupMembers(groupId, { sealdIds: [groupMemberToRemoveSealdId] }) // only a group administrator can remove members
await sealdGroupMember.decryptFile(encryptedForGroup) // Throws an error: the user newly removed from the group cannot decrypt data encrypted for the group anymore
await sealdGroupAdmin.renewGroupKey(groupId) // a group administrator can then renew the group keys for more securityA group administrator can also add and remove administrators to the group.
await sealdGroupAdmin.setGroupAdmin(groupId, { sealdIds: [newAdminSealdId] }, true) // newAdmin is the administratorr
await sealdGroupAdmin.setGroupAdmin(groupId, { sealdIds: [oldAdminSealdId] }, false) // oldAdmin is no longer administrator