Themis
Cross-platform high-level cryptographic library
Themis helps to build simple and complex cryptographic features easily, quickly, and securely. Itβs a perfect fit for multi-platform apps.
Themis hides cryptographic details and eliminates popular mistakes.
4 essential building blocks
Themis provides ready-made building blocks (βcryptosystemsβ) for secure data storage, message exchange, socket connections, and authentication.
Authenticated storage encryption
Secure Cell is a multi-mode cryptographic container suitable for storing anything from encrypted files to database records. Use Secure Cell to encrypt data at rest. Secure Cell is built around AES-256-GCM, AES-256-CTR.
Public key authenticated encryption
Secure Message is a simple encrypted messaging solution for the widest scope of applications. Use Secure Message to send encrypted and signed data from one user to another, from client to server, to prevent MITM attacks and avoid single secret leakage. Based on ECC + ECDSA / RSA + PSS + PKCS#7.
Zero knowledge proof authentication
Zero-knowledge proof-based protocol to compare secrets over non-trusted channels without risking leaks or reuse attacks. Use Secure Comparator for authenticating the users in a way that no password (or password hash) is sent over the network.
Session-based encryption
Secure Session is a session-oriented encrypted data exchange with forward secrecy for better security guarantees and more demanding infrastructures. Secure Session can perfectly function as socket encryption, session security, or a high-level messaging primitive (with some additional infrastructure like PKI). ECDH key agreement, ECC & AES encryption.
Join those who use Themis #
Industries and applications
- Mobile apps
- Fintech, banking, cryptowallets
- SaaS platforms
- Chats & messengers
- Cloud data encryption
- Documents exchange (VDR)
- Healthcare records exchange (EHR)
- Smart home & IoT
- Logistics & delivery services
- Any apps that operate on sensitive or personal data
Regulations
- GDPR
- DPB
- DPA encryption requirements
- CCPA
- FISMA
- HIPAA / HITECH Act
- PCI DSS
- PSD2
- FFIEC
- And others
Benefits
- Recommended by OWASP
- Solves 90% use cases for protecting data in mobile apps
- Implements application level encryption best practices
- 100% compatible across all supported languages
- Saves development time
- Hard to misuse, secure by default API
- Strong cryptography (trusted, verified, audited)
- No place for crypto mistakes. We tried hard to prevent βem.
Available for:
One cryptographic library that fits βem all.
Themis is the best fit for multi-platform products (mobile, desktop and server-side apps) because it provides 100% compatible API and works in the same way across all supported platforms.
Perfect for client-side encryption, server-side encryption or building end-to-end encryption flows.
Typical usage scenarios #
Encrypt stored secrets
Store secrets (API keys, session tokens, files) encrypted in your apps and backends using authenticated symmetric encryption. Use Themis with iOS Keychain and Android KeyStore.
Share data between users
Exchange secrets securely: share sensitive data between parties, sign messages and verify signature, build simple chat applications with encryption in transit and at rest.
Zero knowledge proofs
Compare secrets between parties without revealing them by using interactive zero-knowledge proof-based protocol. Works best for authentication via insecure channels.
Field level encryption
Encrypt sensitive fields before storing in the database (βapplication level encryptionβ). Use searchable encryption, data tokenisation and masking with Themis and Acra.
End-to-end encryption layer
Build end-to-end encryption schemes with centralised or decentralised architecture: encrypt data locally on one app, use it encrypted everywhere, decrypt only for authenticated users.
Real-time encrypted sessions
Maintain real-time secure sessions: send encrypted messages to control connected devices via your app, receive real-time sensitive data streams from your apps to backends.
See Themis GitHub for more docs and examples.
Get started with Themis
Check Themis repository and docs for tutorials, how-tos and example apps.
Use Themis to implement application level encryption best practices.
Unified API for all platforms: easy to use, hard to misuse. #
Themis provides 100% interoperability across supported platforms, respects backwards compatibility and stability: your app wonβt be broken because some npm package is missing.
import { symmetricKey64, secureCellSealWithSymmetricKeyEncrypt64, secureCellSealWithSymmetricKeyDecrypt64, } from 'react-native-themis' const message = "all your base are belong to us" const context = "" (async () => { const key64 = await symmetricKey64() const encrypted64 = await secureCellSealWithSymmetricKeyEncrypt64(key64, message, context) const decrypted = await secureCellSealWithSymmetricKeyDecrypt64(key64, encrypted64, context) })();import themis let message = "all your base are belong to us".data(using: .utf8)! // Protect message using strong encryption under the hood: // AES-256-GCM with KDF, random salt and IV let encryptionKey = TSGenerateSymmetricKey()! let cell = TSCellSeal(key: encryptionKey)! let encrypted = try cell.encrypt(message) let decrypted = try cell.decrypt(encrypted)@import themis; NSString *messageString = @"all your base are belong to us"; NSData *message = [messageString dataUsingEncoding:NSUTF8StringEncoding]; // Protect message using strong encryption under the hood: // AES-256-GCM with KDF, random salt and IV NSData *encryptionKey = TSGenerateSymmetricKey(); TSCellSeal *cell = [[TSCellSeal alloc] initWithKey:encryptionKey]; NSError *error; NSData *encrypted = [cell encrypt:message error:&error]; NSData *decrypted = [cell decrypt:encrypted error:&error];import com.cossacklabs.themis.*; byte[] message = "all your base are belong to us" .getBytes(StandardCharsets.UTF_8); // Protect message using strong encryption under the hood: // AES-256-GCM with KDF, random salt and IV SymmetricKey encryptionKey = new SymmetricKey(); SecureCell.Seal cell = SecureCell.SealWithKey(encryptionKey); byte[] encrypted = cell.encrypt(message); byte[] decrypted = cell.decrypt(encrypted);import com.cossacklabs.themis.*; val message = "all your base are belong to us" .toByteArray(StandardCharsets.UTF_8) // Protect message using strong encryption under the hood: // AES-256-GCM with KDF, random salt and IV val encryptionKey = SymmetricKey() val cell = SecureCell.SealWithKey(encryptionKey) val encrypted = cell.encrypt(message) val decrypted = cell.decrypt(encrypted)import "github.com/cossacklabs/themis/gothemis/cell" import "github.com/cossacklabs/themis/gothemis/keys" message := []byte("all your base are belong to us") // Protect message using strong encryption under the hood: // AES-256-GCM with KDF, random salt and IV encryptionKey, err := keys.NewSymmetricKey() scell, err := cell.SealWithKey(encryptionKey) encrypted, err := scell.Encrypt(message, nil) decrypted, err := scell.Decrypt(encrypted, nil)use themis::keys::SymmetricKey; use themis::secure_cell::SecureCell; let message = b"all your base are belong to us"; // Protect message using strong encryption under the hood: // AES-256-GCM with KDF, random salt and IV let encryption_key = SymmetricKey::new(); let cell = SecureCell::with_key(&encryption_key)?.seal(); let encrypted = cell.encrypt(&message)?; let decrypted = cell.decrypt(&encrypted)?;from pythemis.scell import SCellSeal from pythemis.skeygen import GenerateSymmetricKey message = b'all your base are belong to us' # Protect message using strong encryption under the hood: # AES-256-GCM with KDF, random salt and IV encryption_key = GenerateSymmetricKey() cell = SCellSeal(key=encryption_key) encrypted = cell.encrypt(message) decrypted = cell.decrypt(encrypted)require 'rbthemis' message = 'all your base are belong to us' # Protect message using strong encryption under the hood: # AES-256-GCM with KDF, random salt and IV encryption_key = Themis::gen_sym_key cell = Themis::ScellSeal.new(encryption_key) encrypted = cell.encrypt(message) decrypted = cell.decrypt(encrypted)const themis = require('jsthemis') const message = Buffer.from("all your base are belong to us") // Protect message using strong encryption under the hood: // AES-256-GCM with KDF, random salt and IV const encryptionKey = new themis.SymmetricKey() const cell = themis.SecureCellSeal.withKey(encryptionKey) const encrypted = cell.encrypt(message) const decrypted = cell.decrypt(encrypted)const themis = require('wasm-themis') await themis.initialized let messageString = "all your base are belong to us" let message = new TextEncoder().encode(messageString) // Protect message using strong encryption under the hood: // AES-256-GCM with KDF, random salt and IV let encryptionKey = new themis.SymmetricKey() let cell = themis.SecureCellSeal.withKey(encryptionKey) let encrypted = cell.encrypt(message) let decrypted = cell.decrypt(encrypted)#include <themispp/secure_cell.hpp> #include <themispp/secure_keygen.hpp> uint8_t message[] = "all your base are belong to us"; // Protect message using strong encryption under the hood: // AES-256-GCM with KDF, random salt and IV std::vector<uint8_t> encryption_key = themispp::gen_sym_key(); auto cell = themispp::secure_cell_seal_with_key(encryption_key); std::vector<uint8_t> encrypted = cell.encrypt(message); std::vector<uint8_t> decrypted = cell.decrypt(encrypted);$message = 'all your base are belong to us'; // Protect message using strong encryption under the hood: // AES-256-GCM with KDF, random salt and IV $encryption_key = phpthemis_gen_sym_key(); $encrypted = phpthemis_scell_seal_encrypt($encryption_key, $message, NULL); $decrypted = phpthemis_scell_seal_decrypt($encryption_key, $encrypted, NULL);
... learn more with Themis amazing community
Read about projects that use Themis, play with example apps and tutorials, and watch engineering talks about Themis.
[ LEARN MORE ABOUT PROJECTS THAT USE THEMIS ] ββββββββββββββββββββ
ββββββββββββββββββββββββ
ββββββββββββββββββββββββ
ββββββββββββββββββββββββββββ
βββββ βββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββ
βββββ ββββ ββββ ββββ
MMM. .MMM
MMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMM
MMMM::- -:::::::- -::MMMM
MM~:~ 00~:::::~ 00~:~MM
.. MMMMM::.00:::+:::.00::MMMMM ..
.MM::::: ._. :::::MM.
MMMM;:::::;MMMM
-MM MMMMMMM
^ M+ MMMMMMMMM
MMMMMMM MM MM MM
MM MM MM MM
MM MM MM MM
.~~MM~MM~MM~MM~~.
~~~~MM:~MM~~~MM~:MM~~~~
~~~~~~==~==~~~==~==~~~~~~
~~~~~~==~==~==~==~~~~~~
:~==~==~==~==~~
βββ βββ βββββββ
ββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββ ββ
βββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββ
Read related customer stories and engineering stories
![Building security for M&A solutions: 5-years of SSDLC](data:image/svg+xml;utf8,<svg xmlns="http://www.w3.org/2000/svg" width="386" height="216"></svg>)
![Building security for M&A solutions: 5-years of SSDLC]()
Building security for M&A solutions: 5-years of SSDLC
Long-term cooperation with the [REDACTED] company resulted in refined security practices that matched the evolution of their B2B platform. We enabled transition from reactive "firefighting" to a proactive security posture, while simplifying security processes and building security defences.
-
![Product security for one of the biggest African banks]()
Product security for one of the biggest African banks
When a bank launches an entirely new banking application, it necessitates a thorough mobile security assessment, diligent efforts to ensure financial transaction security and tailored fraud prevention measures.
-
![Xaman wallet security assurance and improvements]()
Xaman wallet security assurance and improvements
Conducting a comprehensive security assessment of the Xaman app to ensure the robust protection of key materials, maintain cryptographic soundness, enhance application security.
-
![Securing an ecosystem of edge ML devices]()
Securing an ecosystem of edge ML devices
Designing and implementing security of specialised IIoT devices that run ML. Data protection, ML models protection, secure communication, fleet management, and anti-reverse engineering.
-
![Protecting telemetry data of power grids]()
Protecting telemetry data of power grids
Protecting data signals transmitted over the air between power distribution stations and central dispatch system.
-
![Quick migration to field level encryption of governmental data]()
Quick migration to field level encryption of governmental data
Integrating encryption and data masking for sensitive data stored in MySQL cluster. A combination of transparent SQL encryption via AcraServer and encryption API via AcraTranslator makes Acra fit for complex solutions.
Contact us
Interested in consultancy or commercial support? Let's talk.
We can help you with building custom cryptographic solution using Themis, designing and building end-to-end encryption or partially encryption schemes, or chatting with your engineers about the best AES mode :)