This tutorial walks you through the entire BlindCast pipeline — from generating keys to playing encrypted video in your browser. No prior setup required.
Want the fastest path? If you have Docker, use the BlindCast Server — a single docker compose up gives you key derivation, content registry, presigned uploads, and an admin dashboard. The tutorial below uses the CLI for a step-by-step walkthrough.
Step 1: Install the CLI
Step 2: Create a sample project
This creates a directory with sample HLS segments, a player page, and a .env.example file. See blindcast init for details.
Step 3: Generate keys
This creates a .env file with BLINDCAST_MASTER_KEY and BLINDCAST_SALT, then loads them into your shell. See blindcast keygen for details.
In production, store these in a secret manager. For this tutorial, a local .env file is fine.
Step 4: Encrypt the segments
The encrypted segments and rewritten manifest are in ./segments/encrypted/. The original segments are untouched.
Step 5: Start the key server
In one terminal:
The key server derives content keys from your master key and serves them to the player. See blindcast serve.
Step 6: Play the video
In a second terminal, serve the files and open the player:
Open http://localhost:3000/player.html in your browser. You should see the sample video playing — decrypted in real-time inside the browser.
What just happened?
blindcast encrypt encrypted each .ts segment with AES-128-CBC and injected EXT-X-KEY tags into the manifest
blindcast serve started a key server that derives content keys from your master key using HKDF
- The player (in
player.html) fetched the manifest, requested the content key from the key server, and decrypted each segment in the browser
- Your server (the static file server and key server) never saw the plaintext video — only encrypted bytes
Next steps