Themis is open-source high-level cryptographic services library for mobile and server platforms, providing secure messaging and secure data storage.
Themis provides three important cryptographic services:
Secure Message: a simple encrypted messaging solution for widest scope of applications. ECC + ECDSA / RSA + PSS + PKCS#7. Secure Session: session-oriented, forward secrecy messaging solution with better security guarantees, but more demanding infrastructure. ECDH key agreement, ECC & AES encryption. Secure Cell: a multi-mode cryptographic container, suitable for storing anything from encrypted files to database records and format-preserved strings. Secure Cell is built around AES in GCM (Token and Seal modes) and CTR (Context imprint mode).
Themis by Cossack Labs alternatives and similar libraries
Based on the "Security" category
Secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets. It handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.
* Code Quality Rankings and insights are calculated and provided by Lumnify.
They vary from L1 to L5 with "L5" being the highest. Visit our partner's website for more details.
Do you think we are missing an alternative of Themis by Cossack Labs or a related project?
Themis provides strong, usable cryptography for busy people
General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), Android, desktop Java, С++, Node.js, Python, Ruby, PHP, Go, Rust, WASM. Perfect fit for multi-platform apps. Hides cryptographic details. Made by cryptographers for developers 🧡
Themis is an open-source high-level cryptographic services library for mobile and server platforms that provides secure data exchange, authentication, and storage protection. Themis provides ready-made building components, which simplify usage of core cryptographic security operations.
Themis provides 4 important cryptographic services:
- Secure Cell: a multi-mode cryptographic container suitable for storing anything from encrypted files to database records and format-preserved strings. Secure Cell is built around AES-256 in GCM (Token and Seal modes) and CTR (Context imprint mode).
- Secure Message: a simple encrypted messaging solution for the widest scope of applications. Exchange the keys between the parties and you're good to go. Two pairs of underlying cryptosystems: ECC + ECDSA / RSA + PSS + PKCS#7.
- Secure Session: session-oriented encrypted data exchange with forward secrecy for better security guarantees and more demanding infrastructures. Secure Session can perfectly function as socket encryption, session security, or a high-level messaging primitive (with some additional infrastructure like PKI). ECDH key agreement, ECC & AES encryption.
- Secure Comparator: Zero knowledge-based cryptographic protocol for authentication and comparing secrets.
Easy to use, hard to misuse
Implementing cryptography in applications is often hard. Choosing cipher suites, defining key lengths, and designing key exchange schemes require plenty of particular competencies and lead to mistakes when done by applied developers.
Themis was designed to provide complicated cryptosystems in an easy-to-use infrastructure, with modern rapid development in mind:
- EASY: Themis does not require users to obsess over parameters, cipher combination, IV, salt, yet it provides high levels of security.
- DO YOUR THING: Themis allows developers to focus on the main thing: developing their applications.
- BEST PRACTICE: Themis is based on the best modern practices in implementing complicated security systems.
Themis relies on the best available open-source implementations of cryptographic primitives (ciphers).
Install from package managers
The easiest way to install Themis is to use package repositories for your OS and language. Package repositories contain stable versions of Themis, prebuilt and packaged for the most widely-used systems.
Installation for server-side platforms (like Debian, Ubuntu, CentOS, macOS) consists of two parts: installing Themis Core library into the system and installing Themis language wrapper to use from your application. Refer to the Installation guide.
Installation for mobile platforms (iOS, Android) and WebAssembly is easier: just use package manager popular on this platform. Refer to the Installation guide.
Install from sources
If you need the latest development version of Themis or your system is not supported yet, you can build and install Themis from GitHub source code.
Themis is available for the following languages/platforms:
|🔶 Swift (iOS, macOS)||Swift Howto||docs/examples/swift|
|📱 Objective-C (iOS, macOS)||Objective-C Howto||docs/examples/objc|
|☕️ Java (Desktop)||Java & Android Howto||Java projects|
|☎️ Java (Android)||Java & Android Howto||Android projects|
|♦️ Ruby||Ruby Howto||docs/examples/ruby|
|🐍 Python||Python Howto||docs/examples/python|
|🐘 PHP||PHP Howto||docs/examples/php|
|➕ C++||CPP Howto||docs/examples/c++|
|🍭 Node.js||Node.js Howto||docs/examples/js|
|🖥 WebAssembly||WASM Howto||docs/examples/js|
|🐹 Go||Go Howto||docs/examples/go|
|🦀 Rust||Rust Howto||docs/examples/rust|
|🕸 С++ PNaCl for Google Chrome||WebThemis project|
Want to jump straight to the documentation? Please head over here.
Themis-based plugins are built to enable Themis' features across various platforms and products:
Themis supports the following architectures: x86/x64, armv*, various Android architectures.
It is checked to compile on the latest stable versions of:
- Debian (8, 9), CentOS 7, Ubuntu (16.04, 18.04),
- macOS (10.12 – 10.15),
- Android (4 - 10) / CyanogenMod 11+,
- iOS (9 - 13),
- Windows (MSYS2, experimental feature).
We plan to expand this list with a broader set of platforms. If you'd like to help improve or bring Themis to your favourite platform / language — [get in touch](email@example.com).
As long as it remains feasible, we'll be accumulating the list of all our tutorials on how to use Themis in different cases here:
Building end-to-end encrypted notes in Bear app: real-world story on helping Bear.app to implement note encryption for their vast existing user base.
Building end-to-end encrypted Firebase-based application for note sharing: build a bullet-proof application for when using backend-as-a-service which can't be fully trusted.
Key management basics for iOS illustrates numerous ways to store keys (API tokens, user passwords) using obfuscation and encryption techniques.
Building encrypted chat service with Themis and mobile websocket example, which outlines the stages necessary for building an encrypted chat service around Ruby websocket server with clients in iOS and Android. GitHub repository with the accompanying code.
During the development stage, we frequently do Proof-of-Concept projects to test different assumptions. They serve as interesting demos (examples) of what Themis is capable of:
|0fc||Anonymous web chat* Python* webthemis (C++ + HTML/JS)||repo||blog post|
|Sesto||Secure storage* Python* webthemis (C++ + HTML/JS)||repo||blog post|
|Swift Alps demo||Secure communication (iOS app with Python server based on Secure Session)* Swift* Python||repo||slides|
|Zero-Knowledge Architecturesworkshop||iOS app for storing and sharing encrypted notes stored in Firebase database* Swift||repo|
|Java andAndroid examples||A set of handy examples that show how to encrypt data for storing (Themis Secure Cell) or for sending it to peers (Themis Secure Message and Themis Secure Session)* Java||repo|
|Android secure storage library||SecureStorage is used for keeping private information in a safe mode without requiring a password or a fingerprint * Java* Kotlin||repo|
If you'd like to experiment with Themis in a more interactive environment, check out Themis Server interactive debugging environment for Themis. Themis Server can verify and decrypt the code encrypted by Secure Cell or Secure Message and provides a fully-functional backend for Secure Session. Examples for many languages are available in docs/examples/Themis-server.
Documentation Server for Themis contains the ever-evolving official documentation, which covers everything from deployment guidelines to use cases, with brief explanations of cryptosystems and architecture behind the main Themis library.
This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations, and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See http://www.wassenaar.org/ for more information.
The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS), has classified this software as Export Commodity Control Number (ECCN) 5D002.C.1, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this distribution make it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code.
Submitting apps to the App Store
If you’re using Themis as your means of encryption within your iOS/macOS app that you’re submitting to the App Store, your encryption falls under the “open source” exception (although if your app is not open source/distributed free of charge, we strongly recommend that you seek legal advice).
Themis is a free cryptographic library that builds on the existing, community-tested cryptographic instruments (OpenSSL, LibreSSL, BoringSSL, depending on the target platform). It is open source and Apache 2-licensed, with its full source code publicly available online on GitHub.
This means that you should indicate that you’re using encryption and only submit annual self-classification reports (use this handy table to self-check). Read more about Apple regulations on cryptography and check Apple docs.
Each change in Themis core library is being reviewed and approved by our internal team of cryptographers and security engineers. For every release, we perform internal audits by cryptographers who don't work on Themis.
We use a lot of automated security testing, i.e. static code analysers, fuzzing tools, memory analysers, unit tests (per each platform), integration tests (to find compatibility issues between different Themis-supported languages, OS and x86/x64 architectures). Read more about our security testing practices in a blog post.
If you believe that you've found a security-related issue, please drop us an email to firstname.lastname@example.org. Bug bounty program may apply.
Themis is recommended by OWASP as data encryption library for mobile platforms.
<!-- TODO: re-link into internal "Projects the use Themis" page instead of blog post -->
Want to be featured on our blog and on the list of contributors, too? Write us about the project you’ve created using Themis!
Contributing to us
Supporting Themis for all these numerous platforms is hard work, but we try to do our best to make using Themis convenient for everyone. Most issues that our users encounter are connected with the installation process and dependency management. If you face any challenges, please let us know.
At Cossack Labs, we offer professional support services for Themis and applications using Themis.
This support includes, but is not limited to the library integration, with a focus on web and mobile applications; designing and building end-to-end encryption schemes for mobile applications; security audits, for in-house library integrations or high-level protocol; custom application development that requires cryptography; consulting and training services.
To talk to the business wing of Cossack Labs Limited, drop us an email to email@example.com.
*Note that all licence references and agreements mentioned in the Themis by Cossack Labs README section above are relevant to that project's source code only.