Choose a primitive
Stay organized with collections
Save and categorize content based on your preferences.
Select your use case to identify the correct primitive, then follow the link for
guidance on using the primitive.
Encrypt data...
These primitives are all able to bind ciphertext to its
context.
Ensure authenticity and integrity of data by...
Miscellany
Have a question?
Create an issue in the language-specific GitHub repository linked on the Tink
organization page.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-11 UTC.
[null,null,["Last updated 2025-07-11 UTC."],[[["\u003cp\u003eTink provides cryptographic primitives for encrypting data, ensuring authenticity and integrity, and managing keys, categorized by use case for easy selection.\u003c/p\u003e\n"],["\u003cp\u003eDevelopers can choose from primitives like AEAD, Streaming AEAD, Deterministic AEAD, KMS Envelope AEAD, and Hybrid Encryption for data encryption with varying features and functionalities.\u003c/p\u003e\n"],["\u003cp\u003eMAC and Digital Signature primitives are available for verifying data integrity and authenticity, with different verification mechanisms.\u003c/p\u003e\n"],["\u003cp\u003eTink supports JSON Web Tokens (JWTs) and offers KMS-Encrypted Primitives for advanced key management scenarios.\u003c/p\u003e\n"],["\u003cp\u003eDetailed guidance on primitive usage is accessible via linked documentation for each specific implementation.\u003c/p\u003e\n"]]],["The content outlines cryptographic primitives based on use cases. For encrypting data, options include AEAD for standard needs, Streaming AEAD for large data, Deterministic AEAD for consistent ciphertexts, KMS Envelope AEAD for key protection, and Hybrid Encryption for public/private key scenarios. For data integrity and authenticity, MACs and Digital Signatures are available. Additional primitives include JWTs, and KMS-encrypted primitives for securing keysets. All encryption methods allow binding ciphertext to context. Questions can be raised in the GitHub repository.\n"],null,["# Choose a primitive\n\nSelect your use case to identify the correct primitive, then follow the link for\nguidance on using the primitive.\n\nEncrypt data...\n---------------\n\n| | Primitive | Details |\n|--------------------------------------------------------------------------------|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|\n| [...in standard sizes](/tink/encrypt-data) | **Authenticated Encryption with Associated Data (AEAD)** | - Suitable for most needs - Accepts plaintexts up to 2^32^ bytes - Provides plaintext confidentiality and verifies integrity and authenticity |\n| [...in large files or data streams](/tink/encrypt-large-files-or-data-streams) | **Streaming AEAD** | - For data that is too large to be processed in a single step |\n| [...deterministically](/tink/deterministic-encryption) | **Deterministic AEAD** | - Produces same ciphertext for a given plaintext and key |\n| [...with keys protected by a KMS](/tink/client-side-encryption) | **Key Management System (KMS) Envelope AEAD** | - Encrypts every plaintext with new AEAD key - Encrypts every AEAD key with KMS |\n| [...with public key, decrypt data with private key](/tink/exchange-data) | **Hybrid Encryption** | - Not authenticated - Useful when senders cannot store secrets (private key) |\n\nThese primitives are all able to [bind ciphertext to its\ncontext](/tink/bind-ciphertext).\n\nEnsure authenticity and integrity of data by...\n-----------------------------------------------\n\n| | Primitive | Details |\n|------------------------------------------------------------------------------------------------|---------------------------------------|-------------------------------------------------------------------|\n| [...creating and verifying MAC with one key](/tink/protect-data-from-tampering) | **Message Authentication Code (MAC)** | - Very fast - Only verifiable by parties who can also create MACs |\n| [...creating signature with private key, verifying with public key](/tink/digitally-sign-data) | **Digital Signature** | - Verifiable by parties who cannot create signatures |\n\nMiscellany\n----------\n\n| | Primitive | Details |\n|-------------------------------------------------------------------------------------------|-----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|\n| [Create and verify JWTs](/tink/create-jwts) | **JSON Web Tokens (JWTs)** | - Can additionally convert to / from JSON Web Key (JWK) format |\n| [Encrypt any primitive's keyset with a KMS](/tink/key-management-overview#encrypt_keyset) | **KMS-Encrypted Primitive** | - Doesn't require interacting with the KMS every time the primitive is used (e.g. to encrypt a plaintext), unlike [KMS Envelope AEAD](#encrypt_data) |\n\nHave a question?\n----------------\n\nCreate an issue in the language-specific GitHub repository linked on the [Tink\norganization page](https://github.com/tink-crypto)."]]
