Confidencial Documentation
HomepageLog In
  • Getting Started
    • Sending secure PDFs with Confidencial
    • Viewing secure PDFs with Confidencial
    • Sending secure Word docs with Confidencial
    • Viewing secure Word docs with Confidencial
    • Sending secure Excel workbooks with Confidencial
    • Viewing secure Excel workbooks with Confidencial
    • Sending secure images with Confidencial
    • Viewing secure images with Confidencial
    • Sending secure messages with Confidencial
    • Viewing secure messages with Confidencial
    • Protecting content with Confidencial
    • Re-encrypting and changing who can see protected content
  • General
    • How Confidencial Works
      • What is End-to-End Protection
      • In-doc encryption
      • The Confidencial Public Key Registry
      • The Confidencial Private Key Server
      • The Confidencial Log Server
    • Account types
      • Individual
      • Organization
      • Organization administrator
    • File types
    • Key types
      • Cloud-stored keys
      • Device-stored keys
      • Temporary keys
      • Enterprise keys
      • Recovery keys
    • Logging in to the desktop or web app
    • Logging in to Confidencial
    • Encryption policies
    • Selecting encryption recipients
    • Inviting other users to Confidencial
    • Accepting an invite to Confidencial
    • Creating a Confidencial individual account
    • Re-encrypting and changing who can see protected content
    • Confidencial organizations
  • Web App
    • Encrypting a message
    • Decrypting a message
    • Encrypting files and folders
    • Decrypting a .c11 file or .c11.zip file bundle
    • Re-encrypting a Confidencial-protected file or file bundle and changing who can see them
  • Desktop App
    • Installing the desktop app
    • Encrypting files and folders
    • Decrypting a .c11 file or .c11.zip file bundle
  • Microsoft Office Add-ins
    • Installing the Microsoft Office add-ins
    • Opening the task pane
    • Logging in from an Office application
    • Encrypting an entire Word document
    • Encrypting parts of a Word document
    • Decrypting a Word document
    • Re-encrypting a Word document and changing who can see protected content
    • Installing Microsoft Add-ins via the Admin Center
  • Advanced Features
    • Storing keys on your device
    • Loading a key from your device
    • Creating a machine token
    • Obtaining public-private key pairs for use with the Confidencial SDK
  • How to Use Secure Document Request (SDR)
  • Secure Document Send
    • Sending Documents with Secure Document Send
    • Viewing Historical Document Sends
    • Creating a Persistent Share Link
    • Receiving a Persistent Share Link
  • Cloud Protector
    • Connecting AWS S3
    • Connecting Box
    • Connecting Dropbox
    • Connecting Google Cloud
    • Connecting Google Drive
    • Connecting Microsoft Azure Blob
    • Connecting Microsoft OneDrive
    • Connecting Microsoft SharePoint
    • Connecting Server Message Block
    • Connecting Wasabi
    • Connecting On-Premises Storage
  • Enterprise Deployment
    • Connecting your identity provider to Confidencial
    • Creating an S3 bucket for document requests
    • Creating a Cognito user pool to enable S3 bucket access via IDP credentials
    • Deploying the Confidencial Key Server in your environment
      • Configuring an AWS Elastic Container Service (ESC) instance
    • Running a database migration
    • Pushing a container image to your AWS container registry
    • Connecting your identity provider to the Confidencial Key Server
    • Deploying the Confidencial Desktop App to your enterprise users
    • Deploying the Confidencial Office Add-ins to your enterprise users
    • Setting up Microsoft Entra to use an Exchange account to send email notifications
  • Organization Administration
    • Adding members to an organization
    • Pre-loading members into your organization
    • Designating a member as an administrator
    • Creating a recovery key for an organization
    • Monitoring Confidencial usage within an organization
    • Organization-level policies
    • Administrator permissions
  • Command-Line Interface (CLI)
  • Software Development Kit (SDK)
  • Contact Us
  • System Requirements
  • Legal/Licensing
  • How to Access Confidencial Documents for First Time Recipients
Powered by GitBook
On this page
  • Authentication
  • Actions
  • Encryption
  • Examples
  • Extracting a single page from a Confidencial PDF encrypted by the CLI in page streaming mode (Java)
Export as PDF

Command-Line Interface (CLI)

PreviousAdministrator permissionsNextSoftware Development Kit (SDK)

Last updated 1 month ago

ℹ️ This page describes how to use the Confidencial CLI, which lets users perform Confidencial actions such as encryption using shell commands and scripts. Please if you would like to get access to it.

ℹ️ While the CLI does not currently support decryption, the Confidencial can be used to decrypt files and can be invoked from JavaScript code running in a Node environment (using the `` module) or in a web browser

🌐 An internet connection is required to use the CLI in cases where end users’ public (encryption) keys need to be obtained

Authentication

🔑 Most CLI actions require authentication in the form of a machine token. See for instructions on how to create one.

Actions

ℹ️ The CLI is currently capable of encrypting PDF files. Support for decryption and other file formats is coming soon. Have a file format you’d like to see supported? .

Encryption

Encryption commands take the form of

c11-cli -machineToken "your machine token" -a encrypt -if "/inputfile.pdf" -of "/outfile.pdf"

where your machine token is the token you obtained by following the steps in , inputfile.pdf is the name of the file you’d like to encrypt, and outfile.pdf is the name of encrypted version of the file you’d like to create.

ℹ️ It is recommended that you remove your original, unencrypted versions of your files after you have created corresponding encrypted versions of them. If necessary, you can revert encrypted versions to unencrypted versions using the Confidencial (and later using the command-line interface).

Specifying multiple recipients

By default, documents are encrypted only for the user that generated the machine token that was supplied in the command line. To specify a different set of users that can decrypt the document, provide a “recipients” file via the -rf <recipients.json> option. A recipients file is a JSON-formatted file that contains the organization name and email address of all users that should be permitted to decrypt the document. See example recipients file below.

[
  {
    "organization": "org-name-1",
    "email": "person1@example.com"
  },
  {
    "organization": "org-name-2",
    "email": "person2@example.com"
  }
]

Document tracing

You can trace activity related to documents protected with the CLI using Confidencial’s Document Tracing feature. This feature is enabled by default if additional document recipients are not specified (i.e. if the -rf option is not used). To trace documents protected with the CLI when additional recipients are specified (i.e. when the -rf option is used), specify the -asOwner option in the command line.

PDF page streaming

A PDF page streaming encryption mode is available to support use cases in which a PDF may be served to a client on a page-by-page basis. When the -withPageStreaming option is specified, the encrypted data within the PDF document is stored such that encryption data can be retrieved for specific pages. This is in contrast to the default encryption mode, in which encryption data for the entire document is stored within a single object. To use page streaming mode, include -withPageStreaming <policies.json> in the command line, where <policies.json> is the path to a JSON file that specifies which pages should be encrypted for which end users. An example policies file is shown below.

{
  "policies": [
    {
      "pages": [1],
      "recipients": [
        {
          "organization": "org",
          "email": "example1@domain.com"
        },
        {
          "organization": "org",
          "email": "example2@domain.com"
        }
      ]
    },
    {
      "pages": [2, 3, 4],
      "recipients": [
        {
          "organization": "org",
          "email": "example3@domain.com"
        }
      ]
    }
  ]
}

Examples

Extracting a single page from a Confidencial PDF encrypted by the CLI in page streaming mode (Java)

package tst;

import java.io.File;
import java.io.IOException;
import org.apache.pdfbox.pdmodel.PDDocument;
import org.apache.pdfbox.pdmodel.PDDocumentInformation;

public class Main {

	public static void main(String[] args) throws IOException {

		System.out.println("Process started");
		//Read Pdf file encrypted by Confidencial CLI
		File file = new File("files\\sample.c11.pdf");
		PDDocument sourceDocument= PDDocument.load(file);
		//Extract confidencialData from PDF custom metadata for a given page number
		int pageNumber=1;
		PDDocumentInformation documentInformation =	sourceDocument.getDocumentInformation();
		String confidencialData = documentInformation.getCustomMetadataValue("confidencialData_" + pageNumber);
		//create a new PDF file
		PDDocument singlePdfPageDocument = new PDDocument();
		//add first page from encrypted PDF file
		singlePdfPageDocument.addPage(sourceDocument.getPage(0));
		//add confidencialData to custom metadata
		singlePdfPageDocument.getDocumentInformation().setCustomMetadataValue("confidencialData", confidencialData);
		//save the file
		singlePdfPageDocument.save("files\\sample.page1.pdf");
		sourceDocument.close();
		singlePdfPageDocument.close();
		System.out.println("Process completed successfully");

	}

}

The Java code below uses a to extract a single page (and corresponding Confidencial encryption metadata) from a PDF file that has been encrypted with the Confidencial CLI in page streaming mode. With the single page extracted, it can be passed to the Confidencial to be decrypted and displayed to an end user.

contact us
Software Development Kit (SDK)
child_process
Creating a machine token
Contact us
Creating a machine token
Software Development Kit (SDK)
third-party PDF library
Software Development Kit (SDK)