Themis

Themis

Cross-platform library for secure data storage, message exchange, socket connections, and authentication

Themis provides cryptosystems for securing data-at-rest and data-in-transit via convenient interfaces, available across multiple platforms.

Crafted with your platform in mind

Mobile

iOS and Android ready.

Server

Wrappers for server-side languages.

Web

Plugins, JS, WebAssembly (soon).

IoT

ARM / Raspberry Pi.

Themis provides:

Cryptographic services library
  1. 1 Database: data-at-rest protection
  2. 2 Infrastructure: secure transport and authentication
  3. 3 Front-end: storage and safe transmission
Authentication
Zero-knowledge proof authentication: compare secrets over non-trusted channels without the risk of leaks or reuse attacks. Use Secure Comparator for logging in registered users in such a way that no password (or password hash) is sent over the network.
Encrypted storage (symmetric encryption)
General purpose symmetric container with authentication, length-preserving mode, encryption context, and authentication tags. Use Secure Cell for storing any data in files or database cells, encrypt data with context linked to particular users.
Public key authenticated encryption
Public key container for exchanging messages, API calls, and binding the access to private keys instead of secrets. Use Secure Message to send encrypted and signed data from client to server and back, prevent MiTM attacks, avoid single secret leakage
Socket protection
Lightweight socket encryption with perfect forward secrecy and mutual peer authentication for real-time transport, sockets, data streams, APIs, and messaging. Use Secure Session for transferring sensitive data between client and server in session context.

Get started with Themis

See Themis documentation for more info and how-tos Available for:


https://github.com/cossacklabs/rd_themis https://github.com/cossacklabs/pg_themis

Get started in minutes:

import themis

let password = "your secret password string".data(using: .utf8)!
let message = "all your base are belong to us".data(using: .utf8)!
let context = "for the great justice".data(using: .utf8)!

// Protect message using strong encryption under the hood:
// AES-256-GCM with PBKDF2, random salt and IV

let scell = TSCellSeal(key: password)!

let encrypted = try scell.wrap(message, context: context)

let decrypted = try scell.unwrapData(encrypted, context: context)

assert(decrypted == message)
import com.cossacklabs.themis.SecureCell;

byte[] password = "your secret password string".getBytes("UTF-8");
byte[] message = "all your base are belong to us".getBytes("UTF-8");
byte[] context = "for the great justice".getBytes("UTF-8");

// Protect message using strong encryption under the hood:
// AES-256-GCM with PBKDF2, random salt and IV

SecureCell scell = new SecureCell(password, SecureCell.MODE_SEAL);

SecureCellData encrypted = scell.protect(context, message);

byte[] decrypted = scell.unprotect(context, encrypted);

Assert.assertArrayEquals(decrypted, message);
$password = 'your secret password string';
$message = 'all your base are belong to us';
$context = 'for the great justice';

// Protect message using strong encryption under the hood:
// AES-256-GCM with PBKDF2, random salt and IV

$encrypted = phpthemis_scell_seal_encrypt($password, $message, $context);

$decrypted = phpthemis_scell_seal_decrypt($password, $encrypted, $context);

assert($decrypted == $message);
from pythemis.scell import SCellSeal

password = b'your secret password string'
message = b'all your base are belong to us'
context = b'for the great justice'

# Protect message using strong encryption under the hood:
# AES-256-GCM with PBKDF2, random salt and IV

scell = SCellSeal(password)

encrypted = scell.encrypt(message, context)

decrypted = scell.decrypt(encrypted, context)

assert decrypted == message
var themis = require('themis')

var password = new Buffer("your secret password string")
var message = new Buffer("all your base are belong to us")
var context = new Buffer("for the great justice")

// Protect message using strong encryption under the hood:
// AES-256-GCM with PBKDF2, random salt and IV

var scell = new themis.SecureCellSeal(password)

var encrypted = scell.encrypt(message, context)

var decrypted = scell.decrypt(encrypted, context)

assert.equal(decrypted, message)
import "github.com/cossacklabs/themis/gothemis/cell"

password := []byte("your secret password string")
message := []byte("all your base are belong to us")
context := []byte("for the great justice")

// Protect message using strong encryption under the hood:
// AES-256-GCM with PBKDF2, random salt and IV

scell := cell.New(password, cell.ModeSeal)

encrypted, _, err := scell.Protect(message, context)

decrypted, err := scell.Unprotect(encrypted, nil, context)

assert.Equal(t, decrypted, message)
require 'rbthemis'

password = 'your secret password string'
message = 'all your base are belong to us'
context = 'for the great justice'

# Protect message using strong encryption under the hood:
# AES-256-GCM with PBKDF2, random salt and IV

scell = Themis::Scell.new(password, Themis::Scell::SEAL_MODE)

encrypted = scell.encrypt(message, context)

decrypted = scell.decrypt(encrypted, context)

assert_equal(decrypted, message)
#import <objcthemis/objcthemis.h>

NSData *password = [@"your secret password string" dataUsingEncoding:NSUTF8StringEncoding];
NSData *message = [@"all your base are belong to us" dataUsingEncoding:NSUTF8StringEncoding];
NSData *context = [@"For the great justice!" dataUsingEncoding:NSUTF8StringEncoding];

// Protect message using strong encryption under the hood:
// AES-256-GCM with PBKDF2, random salt and IV

TSCellSeal *scell = [[TSCellSeal alloc] initWithKey:password];

NSError *error;
NSData *encrypted = [scell wrapData:message context:context error:&error];
NSData *decrypted = [scell unwrapData:encrypted context:context error:&error];

XCTAssertEqual(decrypted, message);
#include <themispp/secure_cell.hpp>

std::vector<uint8_t> password = string_to_vec("your secret password string");
std::vector<uint8_t> message = string_to_vec("all your base are belong to us");
std::vector<uint8_t> context = string_to_vec("for the great justice");

// Protect message using strong encryption under the hood:
// AES-256-GCM with PBKDF2, random salt and IV

themispp::secure_cell_seal_t scell(password);

std::vector<uint8_t> encrypted = scell.encrypt(message, context);

std::vector<uint8_t> decrypted = scell.decrypt(encrypted, context);

ASSERT_EQ(decrypted, message);
use themis::secure_cell::SecureCell;

let password = b"your secret password string";
let message = b"all your base are belong to us";
let context = b"for the great justice";

// Protect message using strong encryption under the hood:
// AES-256-GCM with PBKDF2, random salt and IV

let scell = SecureCell::with_key(&password)?.seal();

let encrypted = scell.encrypt_with_context(&message, &context)?;

let decrypted = scell.decrypt_with_context(&encrypted, &context)?;

assert_eq!(decrypted, message);

Get the most out of using Themis:

Flat fee consultancy

In-depth one-time consulting.

Handled with care

Security by security professionals.

Dev from Devs

We help you use the tools we wrote.

About DGAP

DataGuardian Assistance Program is an exhaustive assisted security solution. Our experts will help you understand and avert practical data security risks your application is facing.

Request more info:

DGAP overview

Want to know more? Here's a brief overview of how DataGuardian Assitance Program by Cossack Labs helps your product, what's inside the service, and how to start.

Related blog posts

Copyright © 2014-2019 Cossack Labs Limited
Cossack Labs is a privately-held British company with a team of data security experts based in Kyiv, Ukraine.