Skip to main content
This tutorial walks you through the entire BlindCast pipeline — from generating keys to playing encrypted video in your browser. No prior setup required.

Step 1: Install the CLI

npm install -g @blindcast/cli

Step 2: Create a sample project

blindcast init my-first-video
cd my-first-video
This creates a directory with sample HLS segments, a player page, and a .env.example file. See blindcast init for details.
my-first-video/
├── segments/
│   ├── manifest.m3u8
│   ├── seg-0.ts
│   ├── seg-1.ts
│   └── seg-2.ts
├── player.html
└── .env.example

Step 3: Generate keys

blindcast keygen > .env
source .env
This creates a .env file with BLINDCAST_MASTER_KEY and BLINDCAST_SALT, then loads them into your shell. See blindcast keygen for details.
In production, store these in a secret manager. For this tutorial, a local .env file is fine.

Step 4: Encrypt the segments

blindcast encrypt ./segments --content-id demo-001
Encrypting 3 segments in ./segments...
  [100%] 3/3 segments encrypted
Manifest rewritten with EXT-X-KEY tags.
Output: ./segments/encrypted/
The encrypted segments and rewritten manifest are in ./segments/encrypted/. The original segments are untouched.

Step 5: Start the key server

In one terminal:
blindcast serve
BlindCast key server running on http://localhost:4100
The key server derives content keys from your master key and serves them to the player. See blindcast serve.

Step 6: Play the video

In a second terminal, serve the files and open the player:
npx serve .
Open http://localhost:3000/player.html in your browser. You should see the sample video playing — decrypted in real-time inside the browser.

What just happened?

  1. blindcast encrypt encrypted each .ts segment with AES-128-CBC and injected EXT-X-KEY tags into the manifest
  2. blindcast serve started a key server that derives content keys from your master key using HKDF
  3. The player (in player.html) fetched the manifest, requested the content key from the key server, and decrypted each segment in the browser
  4. Your server (the static file server and key server) never saw the plaintext video — only encrypted bytes

Next steps

What you want to doGo to
Add the player to your web appPlayer docs
Upload encrypted video to S3blindcast upload
Add browser-side upload to your appUploader docs
Deploy a production key serverKey Server docs
Go to productionProduction Checklist