Skip to main content
BlindCast is a toolkit for building zero-knowledge encrypted video into your application. Video is encrypted before it leaves the creator’s device, stored as opaque bytes on your CDN, and decrypted only inside the viewer’s browser — your server never sees plaintext content.

What you get

Player

Drop-in encrypted HLS playback for any web app. Single import, attach to a video element, point at your key server. 10 lines of code.

CLI

One command-line tool for everything server-side. Generate keys, encrypt HLS segments, upload to S3, and run a local dev server. npx @blindcast/cli.

Uploader

Browser-side upload SDK for web apps where end users upload video. Encrypts in the browser, uploads to S3 via presigned URLs. One function call.

Key Server

Reference key server as a Docker image. Pull, configure, run. Handles key derivation, authentication, leases, and presigned URLs.

How it fits together

  • Creator side: The CLI (server-side) or Uploader (browser-side) encrypts HLS segments and uploads them to S3.
  • Key Server: Derives per-content encryption keys from a single master key. Authenticates viewers before issuing keys.
  • Viewer side: The Player fetches the manifest from your CDN, gets the content key from the key server, and decrypts each segment in the browser.
The server stores and serves only encrypted bytes. It cannot decrypt the video — even if your storage is compromised, the content remains protected.

Who uses what

Your roleStart here
Evaluating BlindCastQuick Start — see encrypted playback in ~10 minutes
Frontend engineer adding a playerPlayer docscreatePlayer() in 10 lines
Backend engineer encrypting videoCLI docsblindcast encrypt and blindcast upload
Frontend engineer adding uploadUploader docs — single upload() function
DevOps deploying to productionKey Server docsdocker run blindcast/keyserver
Ready to see it in action? Quick Start →