Browser example that drives PostGuard encryption and decryption directly through the low-level @e4a/pg-wasm library. Where pg-sveltekit and pg-node use the high-level @e4a/pg-js SDK, pg-manual calls seal, Unsealer, sealStream, and StreamUnsealer itself and builds the policies, signing requests, and key fetches by hand. It is the only sub-project that talks to the WASM module and the PKG directly, so it is the one to read when you need policy-level control that the SDK does not expose.
Two entry points, each a separate page:
| Page | Source | What it does |
|---|---|---|
string.html |
examples/string.js | Encrypts a text field in memory with seal, then decrypts it back with Unsealer. |
file.html |
examples/file.js | Encrypts and decrypts a file as a stream with sealStream / StreamUnsealer, writing the result to disk via streamsaver. |
Both flows sign the ciphertext with a public policy (visible to everyone) and a private policy (visible only to recipients), encrypt for a recipient identified by an email attribute, and then fetch a user decryption key to read it back.
The example talks to a PostGuard Key Generator (PKG) and uses Yivi for authentication:
- The master public key and signing verification key are fetched from the PKG (
/v2/parametersand/v2/sign/parameters). - Retrieving a signing or decryption key starts a Yivi session. A popup appears with a QR code, and you disclose the requested attributes with the Yivi app on your phone.
- The PKG returns the key once the disclosure is valid, and the WASM module seals or unseals the payload.
The session and key-request shapes live in examples/utils.js. That file also holds the PKG_URL constant that every fetch derives from.
The example uses IRMA demo credentials, so no real personal data is involved. The policies reference demo attributes:
irma-demo.sidn-pbdf.email.emailfor the recipient (bob@example.com)irma-demo.gemeente.personalData.fullnameandirma-demo.gemeente.personalData.bsnfor the sender's signature
Before running, load these demo credentials into your Yivi app. Anyone can issue an instance with custom data from the attribute index:
- https://privacybydesign.foundation/attribute-index/en/irma-demo.gemeente.personalData.html
- https://privacybydesign.foundation/attribute-index/en/irma-demo.sidn-pbdf.email.html
Because these are demo credentials, the Yivi popup issues them on the spot if you do not already hold them.
- Node.js and a browser.
- The Yivi app on your phone, with the demo credentials above.
cd pg-manual
npm install
npm run devWebpack Dev Server serves the example at http://localhost:9000. The landing page links to string.html and file.html. Open one, encrypt, and follow the Yivi popup to fetch the key needed to decrypt.
PKG_URL in examples/utils.js selects the PKG deployment. It currently points at the legacy Radboud iHub deployment (https://main.postguard.ihub.ru.nl/pkg) rather than the modern staging host used by the other sub-projects (see issue #54). Change that one constant to target a different PKG; the encryption, signing, and key-fetch calls all derive from it.
Reach for @e4a/pg-wasm directly when you need control the @e4a/pg-js SDK does not surface, such as custom policy construction, separate public and private signing policies, or direct access to the unsealer header. For most integrations the SDK used by pg-sveltekit and pg-node is the simpler starting point.
MIT