Flow 5 – ML-KEM-512 Non-Streaming Encrypt / Decrypt (Compact JWE)
In this flow we use the non-streaming helpers of the SDK (compact-token mode) to encrypt and decrypt a file with a post-quantum ML-KEM-512 key.
Steps
- Generate an
ML-KEM-512key-pair. - Export its public metadata to JSON.
- Encrypt a file via
encryptFile(…)→ compact JWE on disk. - Decrypt the token via
decryptFile(…). - Validate that plaintext round-trips intact.
Non-streaming = the whole compact token is handled in memory.
For GB-scale files use the streaming APIs shown in Flows 1-4.Key points\ - Leverages the encryptFile( ) / decryptFile( ) helpers – the entire ciphertext is one Compact JWE string kept in memory. - Uses a post-quantum ML-KEM-512 key, giving long-term confidentiality that survives future RSA/ECC breaks. - Exports the key’s public metadata to a prettified JSON file so others can encrypt to you (or audit) without server access.
When to use it
- Single-blob logistics – perfect when you want a self-contained text token that can be logged, emailed, checked into Git, or embedded in a manifest without worrying about binary streams or multipart boundaries.
- Quantum-resilient archives – ideal for backups, legal holds, or research data that must remain secret for decades; ML-KEM-512 protects against both classical and quantum adversaries.
- Offline or air-gapped workflows – the exported JSON + Compact JWE give auditors (or disaster-recovery teams) everything they need to decrypt on an isolated machine with no API calls.
Shared helper – this code imports the utility class from
example-util.md (configuration, authentication, JSON).
Complete Java implementation
src/main/java/co/ankatech/ankasecure/sdk/examples/ExampleScenario5.java
/*
* Copyright 2025 ANKATech Solutions Inc
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
*/
package co.ankatech.ankasecure.sdk.examples;
import co.ankatech.ankasecure.sdk.AuthenticatedSdk;
import co.ankatech.ankasecure.sdk.model.DecryptResultMetadata;
import co.ankatech.ankasecure.sdk.model.EncryptResult;
import co.ankatech.ankasecure.sdk.model.GenerateKeySpec;
import co.ankatech.ankasecure.sdk.util.FileIO;
import java.nio.file.Path;
import java.util.Properties;
import static co.ankatech.ankasecure.sdk.examples.ExampleUtil.*;
/**
* Scenario 5 — ML-KEM-512 Bulk Helpers (Compact JWE).
*
* <p>This scenario demonstrates the <strong>non-streaming</strong> helper
* methods that work with RFC 7516 <em>Compact JWE</em> tokens:</p>
* <ol>
* <li>Generate an <code>ML-KEM-512</code> key-pair.</li>
* <li>Export the key's public metadata to JSON.</li>
* <li>Encrypt a file via {@link AuthenticatedSdk#encryptFile(String, Path, Path)}
* (compact token written to disk).</li>
* <li>Decrypt via {@link AuthenticatedSdk#decryptFile(Path, Path)}.</li>
* <li>Print rich metadata for both operations.</li>
* <li>Validate round-trip integrity.</li>
* </ol>
*
* <p><b>Implementation notes (Java 21+):</b></p>
* <ul>
* <li>All filesystem interactions use the {@link java.nio.file.Path} API.</li>
* <li>UTF-8 is enforced explicitly for deterministic encoding.</li>
* <li>Temporary artefacts are written under <kbd>temp_files/</kbd>.</li>
* </ul>
*
* <p><b>Thread-safety:</b> this class is stateless and immutable.</p>
*
* @author ANKATech Solutions Inc.
* @since 3.0.0
* @see ExampleUtil
* @see AuthenticatedSdk
*/
public final class ExampleScenario5 {
/** No instantiation — this class only exposes {@link #main(String[])}. */
private ExampleScenario5() { }
/**
* Runs the ML-KEM-512 compact JWE encrypt/decrypt scenario.
*
* <p>Loads CLI properties, authenticates against ANKASecure©,
* and delegates to the scenario logic. On any unrecoverable error
* the JVM terminates via
* {@link ExampleUtil#fatal(String, Throwable)}.</p>
*
* @param args command-line arguments (ignored)
*/
public static void main(final String[] args) {
System.out.println("===== SCENARIO 5 START =====");
System.out.println("""
Purpose :
* ML-KEM-512 compact-JWE encrypt / decrypt helpers
* Non-streaming - full token handled in memory
Steps :
1) Generate ML-KEM-512 key
2) Export public metadata
3) Encrypt payload (compact JWE)
4) Decrypt ciphertext
5) Validate integrity
--------------------------------------------------------------""");
try {
ensureTempDir(TEMP_DIR);
Properties props = loadProperties();
AuthenticatedSdk sdk = authenticate(props);
runScenario(sdk);
} catch (Exception ex) {
fatal("Scenario 5 failed", ex);
}
System.out.println("===== SCENARIO 5 END =====");
}
/**
* Executes the 6-step ML-KEM-512 compact JWE scenario.
*
* <ol>
* <li>Prepare plaintext file.</li>
* <li>Generate ML-KEM-512 key.</li>
* <li>Export key metadata.</li>
* <li>Encrypt file (compact JWE).</li>
* <li>Decrypt compact JWE.</li>
* <li>Validate round-trip integrity.</li>
* </ol>
*
* @param sdk an authenticated {@link AuthenticatedSdk} instance;
* must not be {@code null}
* @throws Exception if any step fails
*/
private static void runScenario(final AuthenticatedSdk sdk) throws Exception {
/* 1 -- prepare plaintext -------------------------------------------- */
Path plainFile = TEMP_DIR.resolve("scenario5_plain.txt");
FileIO.writeUtf8(plainFile,
"Scenario-5 - ML-KEM-512 compact-JWE encryption demo.");
System.out.println("[1] Plaintext ready -> " + plainFile.toAbsolutePath());
/* 2 -- generate ML-KEM-512 key -------------------------------------- */
String kid = "sc5_kem_" + System.currentTimeMillis();
sdk.generateKey(new GenerateKeySpec()
.setKid(kid)
.setKty("ML-KEM")
.setAlg("ML-KEM-512"));
System.out.println("[2] Key generated -> kid = " + kid);
/* 3 -- export metadata ---------------------------------------------- */
Path exportJson = TEMP_DIR.resolve("scenario5_key.json");
FileIO.writeUtf8(exportJson, toJson(sdk.exportKey(kid)));
System.out.println("[3] Metadata exported -> " + exportJson.toAbsolutePath());
/* 4 -- encrypt (compact JWE) ---------------------------------------- */
Path cipherFile = TEMP_DIR.resolve("scenario5.cipher.jwe");
EncryptResult encMeta = sdk.encryptFile(kid, plainFile, cipherFile);
System.out.println("[4] Ciphertext written -> " + cipherFile.toAbsolutePath());
printEncryptMeta(encMeta);
/* 5 -- decrypt ------------------------------------------------------ */
Path decFile = TEMP_DIR.resolve("scenario5_decrypted.txt");
DecryptResultMetadata decMeta = sdk.decryptFile(cipherFile, decFile);
System.out.println("[5] Decrypted file -> " + decFile.toAbsolutePath());
printDecryptMeta(decMeta);
/* 6 -- validation --------------------------------------------------- */
String original = FileIO.readUtf8(plainFile);
String recovered = FileIO.readUtf8(decFile);
System.out.println(original.equals(recovered)
? "[6] Validation OK - plaintext matches."
: "[6] WARNING - plaintext mismatch!");
}
}
How to run
Console milestones:
-
ML-KEM-512 key generation
-
Metadata export →
scenario5_key.json -
Non-streaming compact-JWE encryption →
scenario5.cipher.jwe -
Decryption →
scenario5_decrypted.txt -
Validation OK confirming byte-perfect round-trip