Matomo

Themis – cross-platform cryptographic library

πŸ‡ΊπŸ‡¦ We stand with Ukraine, and we stand for Ukraine. We offer free assessment and mitigation services to improve Ukrainian companies security resilience.

Cossack Labs
search
Cross-platform high-level cryptographic library

Themis

Cross-platform high-level cryptographic library

Themis helps to build simple and complex cryptographic features easily, quickly, and securely. It’s a perfect fit for multi-platform apps.

Themis hides cryptographic details and eliminates popular mistakes.

GitHubGitHub
Product sheet

4 essential building blocks

Themis provides ready-made building blocks (β€œcryptosystems”) for secure data storage, message exchange, socket connections, and authentication.

Authenticated storage encryption

Authenticated storage encryption

Secure Cell is a multi-mode cryptographic container suitable for storing anything from encrypted files to database records. Use Secure Cell to encrypt data at rest. Secure Cell is built around AES-256-GCM, AES-256-CTR.

Public key authenticated encryption

Public key authenticated encryption

Secure Message is a simple encrypted messaging solution for the widest scope of applications. Use Secure Message to send encrypted and signed data from one user to another, from client to server, to prevent MITM attacks and avoid single secret leakage. Based on ECC + ECDSA / RSA + PSS + PKCS#7.

Zero knowledge proof authentication

Zero knowledge proof authentication

Zero-knowledge proof-based protocol to compare secrets over non-trusted channels without risking leaks or reuse attacks. Use Secure Comparator for authenticating the users in a way that no password (or password hash) is sent over the network.

Session-based encryption

Session-based encryption

Secure Session is a session-oriented encrypted data exchange with forward secrecy for better security guarantees and more demanding infrastructures. Secure Session can perfectly function as socket encryption, session security, or a high-level messaging primitive (with some additional infrastructure like PKI). ECDH key agreement, ECC & AES encryption.

Join those who use Themis #

Industries and applications

  • Mobile apps
  • Fintech, banking, cryptowallets
  • SaaS platforms
  • Chats & messengers
  • Cloud data encryption
  • Documents exchange (VDR)
  • Healthcare records exchange (EHR)
  • Smart home & IoT
  • Logistics & delivery services
  • Any apps that operate on sensitive or personal data

Regulations

  • GDPR
  • DPB
  • DPA encryption requirements
  • CCPA
  • FISMA
  • HIPAA / HITECH Act
  • PCI DSS
  • PSD2
  • FFIEC
  • And others

Benefits

Available for:

React Native iOS Android
Ruby Python Php C++ Node.js Go Java Rust
WASM WebThemis
Redis Postgres

One cryptographic library that fits β€˜em all.

Themis is the best fit for multi-platform products (mobile, desktop and server-side apps) because it provides 100% compatible API and works in the same way across all supported platforms.
Perfect for client-side encryption, server-side encryption or building end-to-end encryption flows.

Discover on GitHubDiscover on GitHub

Typical usage scenarios #

Encrypt stored secrets

Encrypt stored secrets

Store secrets (API keys, session tokens, files) encrypted in your apps and backends using authenticated symmetric encryption. Use Themis with iOS Keychain and Android KeyStore.

Share data between users

Share data between users

Exchange secrets securely: share sensitive data between parties, sign messages and verify signature, build simple chat applications with encryption in transit and at rest.

Zero knowledge proofs

Zero knowledge proofs

Compare secrets between parties without revealing them by using interactive zero-knowledge proof-based protocol. Works best for authentication via insecure channels.

Field level encryption

Field level encryption

Encrypt sensitive fields before storing in the database (β€œapplication level encryption”). Use searchable encryption, data tokenisation and masking with Themis and Acra.

End-to-end encryption layer

End-to-end encryption layer

Build end-to-end encryption schemes with centralised or decentralised architecture: encrypt data locally on one app, use it encrypted everywhere, decrypt only for authenticated users.

Real-time encrypted sessions

Real-time encrypted sessions

Maintain real-time secure sessions: send encrypted messages to control connected devices via your app, receive real-time sensitive data streams from your apps to backends.

See Themis GitHub for more docs and examples.

Get started with Themis

Check Themis repository and docs for tutorials, how-tos and example apps.
Use Themis to implement application level encryption best practices.

GitHubGitHub
Documentation

Unified API for all platforms: easy to use, hard to misuse. #

Themis provides 100% interoperability across supported platforms, respects backwards compatibility and stability: your app won’t be broken because some npm package is missing.

  • import {
  symmetricKey64,
  secureCellSealWithSymmetricKeyEncrypt64,
  secureCellSealWithSymmetricKeyDecrypt64,
} from 'react-native-themis'

const message = "all your base are belong to us"
const context = ""

(async () => {
    const key64 = await symmetricKey64()
    const encrypted64 = await secureCellSealWithSymmetricKeyEncrypt64(key64, message, context)
    const decrypted = await secureCellSealWithSymmetricKeyDecrypt64(key64, encrypted64, context)
})();

  • 
import themis
            
let message = "all your base are belong to us".data(using: .utf8)!

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

let encryptionKey = TSGenerateSymmetricKey()!
let cell = TSCellSeal(key: encryptionKey)!

let encrypted = try cell.encrypt(message)
let decrypted = try cell.decrypt(encrypted)

  • 
@import themis;
                
NSString *messageString = @"all your base are belong to us";
NSData *message = [messageString dataUsingEncoding:NSUTF8StringEncoding];

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

NSData *encryptionKey = TSGenerateSymmetricKey();
TSCellSeal *cell = [[TSCellSeal alloc] initWithKey:encryptionKey];

NSError *error;
NSData *encrypted = [cell encrypt:message error:&error];
NSData *decrypted = [cell decrypt:encrypted error:&error];

  • 
import com.cossacklabs.themis.*;

byte[] message = "all your base are belong to us"
    .getBytes(StandardCharsets.UTF_8);

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

SymmetricKey encryptionKey = new SymmetricKey();
SecureCell.Seal cell = SecureCell.SealWithKey(encryptionKey);

byte[] encrypted = cell.encrypt(message);
byte[] decrypted = cell.decrypt(encrypted);

  • 
import com.cossacklabs.themis.*;

val message = "all your base are belong to us"
.toByteArray(StandardCharsets.UTF_8)

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

val encryptionKey = SymmetricKey()
val cell = SecureCell.SealWithKey(encryptionKey)

val encrypted = cell.encrypt(message)
val decrypted = cell.decrypt(encrypted)

  • 
import "github.com/cossacklabs/themis/gothemis/cell"
import "github.com/cossacklabs/themis/gothemis/keys"

message := []byte("all your base are belong to us")

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

encryptionKey, err := keys.NewSymmetricKey()
scell, err := cell.SealWithKey(encryptionKey)

encrypted, err := scell.Encrypt(message, nil)
decrypted, err := scell.Decrypt(encrypted, nil)

  • 
use themis::keys::SymmetricKey;
use themis::secure_cell::SecureCell;

let message = b"all your base are belong to us";

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

let encryption_key = SymmetricKey::new();
let cell = SecureCell::with_key(&encryption_key)?.seal();

let encrypted = cell.encrypt(&message)?;
let decrypted = cell.decrypt(&encrypted)?;

  • 
from pythemis.scell import SCellSeal
from pythemis.skeygen import GenerateSymmetricKey

message = b'all your base are belong to us'

# Protect message using strong encryption under the hood:
# AES-256-GCM with KDF, random salt and IV

encryption_key = GenerateSymmetricKey()
cell = SCellSeal(key=encryption_key)

encrypted = cell.encrypt(message)
decrypted = cell.decrypt(encrypted)

  • 
require 'rbthemis'

message = 'all your base are belong to us'

# Protect message using strong encryption under the hood:
# AES-256-GCM with KDF, random salt and IV

encryption_key = Themis::gen_sym_key
cell = Themis::ScellSeal.new(encryption_key)

encrypted = cell.encrypt(message)
decrypted = cell.decrypt(encrypted)

  • 
const themis = require('jsthemis')

const message = Buffer.from("all your base are belong to us")

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

const encryptionKey = new themis.SymmetricKey()
const cell = themis.SecureCellSeal.withKey(encryptionKey)

const encrypted = cell.encrypt(message)
const decrypted = cell.decrypt(encrypted)

  • 
const themis = require('wasm-themis')

await themis.initialized

let messageString = "all your base are belong to us"
let message = new TextEncoder().encode(messageString)

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

let encryptionKey = new themis.SymmetricKey()
let cell = themis.SecureCellSeal.withKey(encryptionKey)

let encrypted = cell.encrypt(message)
let decrypted = cell.decrypt(encrypted)

  • 
#include <themispp/secure_cell.hpp>
#include <themispp/secure_keygen.hpp>

uint8_t message[] = "all your base are belong to us";

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

std::vector<uint8_t> encryption_key = themispp::gen_sym_key();
auto cell = themispp::secure_cell_seal_with_key(encryption_key);

std::vector<uint8_t> encrypted = cell.encrypt(message);
std::vector<uint8_t> decrypted = cell.decrypt(encrypted);

  • 
$message = 'all your base are belong to us';

// Protect message using strong encryption under the hood:
// AES-256-GCM with KDF, random salt and IV

$encryption_key = phpthemis_gen_sym_key();

$encrypted = phpthemis_scell_seal_encrypt($encryption_key, $message, NULL);
$decrypted = phpthemis_scell_seal_decrypt($encryption_key, $encrypted, NULL);

... learn more with Themis amazing community

Read about projects that use Themis, play with example apps and tutorials, and watch engineering talks about Themis.

[ LEARN MORE ABOUT PROJECTS THAT USE THEMIS ]

Contact us

Interested in consultancy or commercial support? Let's talk.

We can help you with building custom cryptographic solution using Themis, designing and building end-to-end encryption or partially encryption schemes, or chatting with your engineers about the best AES mode :)

Contact us

Get whitepaper

Apply for the position

Our team will review your resume and provide feedback
within 5 business days

Thank you!
We’ve received your request and will respond soon.
Your resume has been sent!
Our team will review your resume and provide feedback
within 5 business days