Themis

Themis

Cross-platform library for secure data storage, message exchange, socket connections, and authentication

Themis provides cryptosystems for securing data-at-rest and data-in-transit via convenient interfaces, available across multiple platforms.

Crafted with your platform in mind

Mobile

iOS and Android ready.

Server

Wrappers for server-side languages.

Web

Plugins, JS, WebAssembly (soon).

IoT

ARM / Raspberry Pi.

Themis provides:

Cryptographic services library
  1. 1 Database: data-at-rest protection
  2. 2 Infrastructure: secure transport and authentication
  3. 3 Front-end: storage and safe transmission
Authentication
Zero-knowledge proof authentication: compare secrets over non-trusted channels without the risk of leaks or reuse attacks. Use Secure Comparator for logging in registered users in such a way that no password (or password hash) is sent over the network.
Encrypted storage (symmetric encryption)
General purpose symmetric container with authentication, length-preserving mode, encryption context, and authentication tags. Use Secure Cell for storing any data in files or database cells, encrypt data with context linked to particular users.
Public key authenticated encryption
Public key container for exchanging messages, API calls, and binding the access to private keys instead of secrets. Use Secure Message to send encrypted and signed data from client to server and back, prevent MiTM attacks, avoid single secret leakage
Socket protection
Lightweight socket encryption with perfect forward secrecy and mutual peer authentication for real-time transport, sockets, data streams, APIs, and messaging. Use Secure Session for transferring sensitive data between client and server in session context.

Get started with Themis

See Themis documentation for more info and how-tos Available for:


https://github.com/cossacklabs/rd_themis https://github.com/cossacklabs/pg_themis

Get started in minutes:

let masterKeyString: String = "UkVDMgAAAC13PCVZAKOczZXUpvkhsC+xvwWnv3CLmlG0Wzy8ZBMnT+2yx/dg"
let masterKeyData: Data = Data(base64Encoded: masterKeyString, options: .ignoreUnknownCharacters)!

/* Initialise encrypter/decrypter: */
guard let cellSeal: TSCellSeal = TSCellSeal(key: masterKeyData) else {
    print("Error occurred while initializing object cellSeal", #function)
    return
}

/* Encrypt: */
let message: String = "All your base are belong to us!"
let context: String = "For great justice"

var encryptedMessage: Data = Data()
do {
    /* context is optional parameter and may be ignored */
    encryptedMessage = try cellSeal.wrap(message.data(using: .utf8)!,
                                         context: context.data(using: .utf8)!)
    print("decryptedMessagez = \(encryptedMessage)")

} catch let error as NSError {
    print("Error occurred while encrypting \(error)", #function)
    return
}

/* Decrypt: */
let context: String = "For great justice"
do {
    let decryptedMessage: Data = try cellSeal.unwrapData(encryptedMessage,
                                               context: context.data(using: .utf8)!)
    let resultString: String = String(data: decryptedMessage, encoding: .utf8)!
    print("decryptedMessage = \(resultString)")

} catch let error as NSError {
    print("Error occurred while decrypting \(error)", #function)
    return
}
                        
/** Initialise cell: */
SecureCell cell = new SecureCell("your secret password string", SecureCell.MODE_SEAL);

/**
* Encrypt (context is optional):
*/
SecureCellData cellData = cell.protect(context, data);

/**
* The result of the function call is SecureCellData object,
* which is a simple container for protected data.
* You may get the actual protected data:
*/
byte[] protectedData = cellData.getProtectedData();

/**
* Decrypt (context is optional):
* The context should be same as in the protect function call
* for successful decryption.
*/
byte[] data = cell.unprotect(context, cellData);
                        
// Syntax
mixed phpthemis_scell_seal_encrypt( string $password, string $source_data [, string $context] )

$password = 'not-so-secret';
$message  = 'The best laid schemes of mice and men go oft awry';
$context  = '12345';
$secure_cell = phpthemis_scell_seal_encrypt($password, $message, $context);
$decrypted   = phpthemis_scell_seal_decrypt($password, $secure_cell, $context);
echo "Decrypted: $decrypted\n";
                        
// Initialise encrypter/decrypter:
from pythemis.scell import SCellSeal
scell = SCellSeal(b'password')

// Encrypt:
encrypted_message = scell.encrypt(b'message', b'context')

// Decrypt:
message = scell.decrypt(encrypted_message, b'context')
                        
// Initialise encrypter/decrypter:
scell_seal = new themis.SecureCellSeal(key);

// Encrypt (context is optional):
encrypted_message = scell_seal.encrypt(message, context)

// Decrypt:
// The context should be same as in the encrypt function call for successful decryption.
decrypted_message = scell_seal.decrypt(encrypted_message, context)
                        
// Create SecureCell object to protect your data:
import "github.com/cossacklabs/themis/gothemis/cell"

// Initialise cell:
secureCell := cell.New(secretKey, cell.CELL_MODE_SEAL)

// Encrypt (context is optional):
protectedData, _, err := secureCell.Protect(data, context)
// Second parameter _ is additional data that is nil in this mode.

// Decrypt (context is optional):
// The context should be same as in the protect function call for successful decryption.
data, err := secureCell.Unprotect(protectedData, nil, context)
                        
# Initialise encrypter/decrypter:
scell_full = Themis::Scell.new(key, Themis::Scell::SEAL_MODE)

# Encrypt:
encrypted_message = scell_full.encrypt(message, context)

# Decrypt:
decrypted_message = scell_full.decrypt(encrypted_message, context)
                        
// Initialise encrypter/decrypter:
#import <objcthemis/objcthemis.h>
TSCellSeal * cellSeal = [[TSCellSeal alloc] initWithKey:masterKeyData];

// Encrypt:
NSString * message = @"All your base are belong to us!";
NSString * context = @"For great justice";
NSError * themisError;

// context is an optional parameter and may be ignored
NSData * encryptedMessage = [cellSeal wrapData:[message dataUsingEncoding:NSUTF8StringEncoding]
                                       context:[context dataUsingEncoding:NSUTF8StringEncoding]
                                         error:&themisError];

if (themisError) {
    NSLog(@"%s Error occurred while enrypting %@", sel_getName(_cmd), themisError);
    return;
}
NSLog(@"encryptedMessage = %@", encryptedMessage);

// Decrypt:
NSString * context = @"For great justice";
NSError * themisError;

NSData * decryptedMessage = [cellSeal unwrapData:encryptedMessage
                                         context:[context dataUsingEncoding:NSUTF8StringEncoding]
                                           error:&themisError];
if (themisError) {
    NSLog(@"%s Error occurred while decrypting %@", sel_getName(_cmd), themisError);
    return;
}
NSString * resultString = [[NSString alloc] initWithData:decryptedMessage
                                                encoding:NSUTF8StringEncoding];
NSLog(@"%s resultString = %@", sel_getName(_cmd), resultString);
                        
/* Initialise encrypter/decrypter: */
themispp::secure_cell_seal_t sm(password);

/* Encrypt: */
try {
     std::vector<uint8_t> encrypted_message = sm.encrypt(message, context);
   } catch(themispp::exception& e) {
     e.what();
   }

/* Decrypt: */
try {
     std::vector<uint8_t> decrypted_message = sm.decrypt(message, context);
   } catch(themispp::exception& e) {
     e.what();
   }
                        

Get the most out of using Themis:

Flat fee consultancy

In-depth one-time consulting.

Handled with care

Security by security professionals.

Dev from Devs

We help you use the tools we wrote.

About DGAP

DataGuardian Assistance Program is an exhaustive assisted security solution. Our experts will help you understand and avert practical data security risks your application is facing.

Request more info:

DGAP overview

Want to know more? Here's a brief overview of how DataGuardian Assitance Program by Cossack Labs helps your product, what's inside the service, and how to start.

Related blog posts

Copyright © 2014-2018 Cossack Labs Limited
Cossack Labs is a privately-held British company with a team of data security experts based in Kyiv, Ukraine.