Themis

Cross-platform library for secure data storage, message exchange, socket connections, and authentication

Themis provides cryptosystems for securing data at rest and data in transit via convenient interfaces, available across multiple platforms.

Crafted with your platform in mind

Mobile

iOS and Android ready.

Server

Libraries for backend platforms.

Web

PNaCl, WebAssembly.

IoT

ARM, Raspberry Pi.

Solve encryption and authentication

Cryptographic services library
  1. 1 Database: data at rest protection
  2. 2 Infrastructure: secure transport and authentication
  3. 3 Front end: storage and safe transmission

Authentication

Zero-knowledge proof authentication: compare secrets over non-trusted channels without the risk of leaks or reuse attacks. Use Secure Comparator for logging in registered users in a way that no password (or password hash) is sent over the network.

Storage encryption

General purpose symmetric container with authentication, length-preserving mode, encryption context, and authentication tags. Use Secure Cell for anything from encrypted files to database records. Secure Cell is built around AES-256-GCM and AES-256-CTR.

Public key authenticated encryption

Public key container for exchanging messages and binding the access to private keys instead of secrets. Use Secure Message to send encrypted and signed data from one user to another, from client to server, to prevent MITM attacks and avoid single secret leakage. ECC + ECDSA / RSA + PSS + PKCS#7.

Session-based encryption

Session-oriented encrypted data exchange with forward secrecy and mutual peer authentication for real-time transport, socket encryption, session security, and messaging. Use Secure Session for transferring sensitive data between client and server in session context. ECDH key agreement, ECC & AES encryption.

Join those who use Themis

Industries

  • Mobile apps

  • SaaS platforms

  • Chats / messengers

  • E-commerce apps

  • Documents exchange

  • Healthcare records exchange

  • Smart home / IoT

  • Logistics / delivery services

  • Any apps that operate on sensitive / personal / critical data

Regulations

  • GDPR

  • DPB

  • CCPA

  • FISMA

  • HIPAA / HITECH Act

  • PCI DSS

  • FFIEC

  • and others

Benefits

  • Recommended by OWASP

  • Solves 90% use cases for protecting data in mobile apps

  • Saves development time

  • 100% compatible across all supported languages

  • Hard to misuse, secure by default API

  • Strong cryptography (trusted, verified, audited)

  • No* place for crypto mistakes
    (* — at least we eliminated most of them)

Get started with Themis

Check Themis repository and docs for tutorials, how-tos and example apps. Available for:
https://github.com/cossacklabs/rd_themis https://github.com/cossacklabs/pg_themis

Unified API for all platforms: easy to use, hard to misuse

import Themis

let masterKey = Data(base64Encoded: "b0gyNlM4LTFKRDI5anFIRGJ4SmQyLGE7MXN5YWUzR2U=")!
let message = "all your base are belong to us".data(using: .utf8)!
let context = "for the great justice".data(using: .utf8)!

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

let scell = TSCellSeal(key: masterKey)!

let encrypted = try scell.wrap(message, context: context)
let decrypted = try scell.unwrapData(encrypted, context: context)

assert(decrypted == message)
#import <objcthemis/objcthemis.h>

NSData *masterKey = [[NSData alloc] initWithBase64EncodedString:@"b0gyNlM4LTFKRDI5anFIRGJ4SmQyLGE7MXN5YWUzR2U="];
NSData *message = [@"all your base are belong to us" dataUsingEncoding:NSUTF8StringEncoding];
NSData *context = [@"For the great justice!" dataUsingEncoding:NSUTF8StringEncoding];

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

TSCellSeal *scell = [[TSCellSeal alloc] initWithKey:masterKey];

NSError *error;
NSData *encrypted = [scell wrapData:message context:context error:&error];
NSData *decrypted = [scell unwrapData:encrypted context:context error:&error];

XCTAssertEqual(decrypted, message);
import com.cossacklabs.themis.SecureCell;

byte[] masterKey = Base64.Decoder.decode("b0gyNlM4LTFKRDI5anFIRGJ4SmQyLGE7MXN5YWUzR2U=");
byte[] message = "all your base are belong to us".getBytes("UTF-8");
byte[] context = "for the great justice".getBytes("UTF-8");

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

SecureCell scell = new SecureCell(masterKey, SecureCell.MODE_SEAL);

SecureCellData encrypted = scell.protect(context, message);
byte[] decrypted = scell.unprotect(context, encrypted);

Assert.assertArrayEquals(decrypted, message);
require 'rbthemis'

masterKey = Base64.decode64('b0gyNlM4LTFKRDI5anFIRGJ4SmQyLGE7MXN5YWUzR2U=')
message = 'all your base are belong to us'
context = 'for the great justice'

# Protect message using strong encryption under the hood:
# AES-256-GCM with KDF, random salt and IV

scell = Themis::Scell.new(masterKey, Themis::Scell::SEAL_MODE)

encrypted = scell.encrypt(message, context)
decrypted = scell.decrypt(encrypted, context)

assert_equal(decrypted, message)
from pythemis.scell import SCellSeal

master_key = base64.decodebytes(b'b0gyNlM4LTFKRDI5anFIRGJ4SmQyLGE7MXN5YWUzR2U=')
message = b'all your base are belong to us'
context = b'for the great justice'

# Protect message using strong encryption under the hood:
# AES-256-GCM with KDF, random salt and IV

scell = SCellSeal(master_key)

encrypted = scell.encrypt(message, context)
decrypted = scell.decrypt(encrypted, context)

assert decrypted == message
$master_key = base64_decode('b0gyNlM4LTFKRDI5anFIRGJ4SmQyLGE7MXN5YWUzR2U=');
$message = 'all your base are belong to us';
$context = 'for the great justice';

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

$encrypted = phpthemis_scell_seal_encrypt($master_key, $message, $context);
$decrypted = phpthemis_scell_seal_decrypt($master_key, $encrypted, $context);

assert($decrypted == $message);
#include <themispp/secure_cell.hpp>

std::vector master_key = base64_decode("b0gyNlM4LTFKRDI5anFIRGJ4SmQyLGE7MXN5YWUzR2U=");
std::vector message = string_to_vec("all your base are belong to us");
std::vector context = string_to_vec("for the great justice");

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

themispp::secure_cell_seal_t scell(master_key);

std::vector encrypted = scell.encrypt(message, context);
std::vector decrypted = scell.decrypt(encrypted, context);

ASSERT_EQ(decrypted, message);
var themis = require('themis')

var masterKey = Buffer.from("b0gyNlM4LTFKRDI5anFIRGJ4SmQyLGE7MXN5YWUzR2U=", "base64")
var message = Buffer.from("all your base are belong to us")
var context = Buffer.from("for the great justice")

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

var scell = new themis.SecureCellSeal(masterKey)

var encrypted = scell.encrypt(message, context)
var decrypted = scell.decrypt(encrypted, context)

assert.equal(decrypted, message)
import "github.com/cossacklabs/themis/gothemis/cell"

masterKey := base64.StdEncoding.DecodeString("b0gyNlM4LTFKRDI5anFIRGJ4SmQyLGE7MXN5YWUzR2U=")
message := []byte("all your base are belong to us")
context := []byte("for the great justice")

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

scell := cell.New(masterKey, cell.ModeSeal)

encrypted, _, err := scell.Protect(message, context)
decrypted, err := scell.Unprotect(encrypted, nil, context)

assert.Equal(t, decrypted, message)
use themis::secure_cell::SecureCell;

let master_key = base64::decode("b0gyNlM4LTFKRDI5anFIRGJ4SmQyLGE7MXN5YWUzR2U=")?;
let message = b"all your base are belong to us";
let context = b"for the great justice";

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

let scell = SecureCell::with_key(&master_key)?.seal();

let encrypted = scell.encrypt_with_context(&message, &context)?;
let decrypted = scell.decrypt_with_context(&encrypted, &context)?;

assert_eq!(decrypted, message);
const themis = require('wasm-themis')

themis.initialized.then(function() {
	let masterKey = Base64ToUint8Array('b0gyNlM4LTFKRDI5anFIRGJ4SmQyLGE7MXN5YWUzR2U=')
	let message = Buffer.from("all your base are belong to us")
	let context = Buffer.from("for the great justice")

	// Protect message using strong encryption under the hood:
	// AES-256-GCM with KDF, random salt and IV

	let scell = new themis.SecureCellSeal(masterKey)

	let encrypted = scell.encrypt(message, context)
	let decrypted = scell.decrypt(encrypted, context)

	assert.equal(decrypted, message)
})

Read related case studies and engineering stories.

Interested in consultancy or commercial support? Let's talk.

Related blog posts