version 0.12



Store private data in a container object.

Private data is added to an SDMP container using well known encryption techniques. Decryption of the payload must produce a valid container object.


Encrypting an object is done by generating an AES key, encrypting the data to that key, and then encrypting the AES key to the public key of all recipients.

The AES encrypted content is held in the encrypted.payload property, while the RSA encrypted key is held in the key property of the recipient object.


The payload is an encoded representation of another container object.

Specifically, the payload is the output of the following function:

BASE64URL(ENCRYPT(UTF8(JSON.stringify(SDMP Container))))

The child container is converted to a string, then UTF-8 encoded, then encrypted using the AES key, and then base64url encoded.


The RSA encrypted key is decrypted using the recipient's private key, and this key is used to decrypt the AES encrypted content.


This object is an extension of the container object, so it must also have all properties required in the container object specifications.

In addition, the object also has the following properties:

encrypted (object, required)

This object holds a signed string, which is the string representation of a valid container object.

This object contains the following properties:

encrypted.iv (string, required)

Initialization vector whose octets are unpadded base64url encoded.

encrypted.payload (string)

The encrypted content, whose octets are unpadded base64url encoded.

The encrypted content must be the JSON.stringify output of a fully valid container object.

encrypted.recipients (array of objects, required)

Contains per-recipient information.

encrypted.recipients[].key (string, required)

Contains the key, encrypted to the recipient's public key, whose octets are unpadded base64url encoded.

JWE Parameters

Describe crypto requirements for JWE object here.