Command-Line Interface (CLI)
Last updated
Last updated
ℹ️ This page describes how to use the Confidencial CLI, which lets users perform Confidencial actions such as encryption using shell commands and scripts. Please if you would like to get access to it.
ℹ️ While the CLI does not currently support decryption, the Confidencial can be used to decrypt files and can be invoked from JavaScript code running in a Node environment (using the `` module) or in a web browser
🌐 An internet connection is required to use the CLI in cases where end users’ public (encryption) keys need to be obtained
🔑 Most CLI actions require authentication in the form of a machine token. See for instructions on how to create one.
ℹ️ The CLI is currently capable of encrypting PDF files. Support for decryption and other file formats is coming soon. Have a file format you’d like to see supported? .
Encryption commands take the form of
where your machine token is the token you obtained by following the steps in , inputfile.pdf is the name of the file you’d like to encrypt, and outfile.pdf is the name of encrypted version of the file you’d like to create.
ℹ️ It is recommended that you remove your original, unencrypted versions of your files after you have created corresponding encrypted versions of them. If necessary, you can revert encrypted versions to unencrypted versions using the Confidencial (and later using the command-line interface).
By default, documents are encrypted only for the user that generated the machine token that was supplied in the command line. To specify a different set of users that can decrypt the document, provide a “recipients” file via the -rf <recipients.json> option. A recipients file is a JSON-formatted file that contains the organization name and email address of all users that should be permitted to decrypt the document. See example recipients file below.
You can trace activity related to documents protected with the CLI using Confidencial’s Document Tracing feature. This feature is enabled by default if additional document recipients are not specified (i.e. if the -rf option is not used). To trace documents protected with the CLI when additional recipients are specified (i.e. when the -rf option is used), specify the -asOwner option in the command line.
A PDF page streaming encryption mode is available to support use cases in which a PDF may be served to a client on a page-by-page basis. When the -withPageStreaming option is specified, the encrypted data within the PDF document is stored such that encryption data can be retrieved for specific pages. This is in contrast to the default encryption mode, in which encryption data for the entire document is stored within a single object. To use page streaming mode, include -withPageStreaming <policies.json> in the command line, where <policies.json> is the path to a JSON file that specifies which pages should be encrypted for which end users. An example policies file is shown below.
The Java code below uses a to extract a single page (and corresponding Confidencial encryption metadata) from a PDF file that has been encrypted with the Confidencial CLI in page streaming mode. With the single page extracted, it can be passed to the Confidencial to be decrypted and displayed to an end user.