Skip to main content
This tutorial walks you through the entire BlindCast pipeline — from generating keys to playing encrypted video in your browser. No prior setup required.
Want the fastest path? If you have Docker, use the BlindCast Server — a single docker compose up gives you key derivation, content registry, presigned uploads, and an admin dashboard. The tutorial below uses the CLI for a step-by-step walkthrough.

Step 1: Install the CLI

Step 2: Create a sample project

This creates a directory with sample HLS segments, a player page, and a .env.example file. See blindcast init for details.

Step 3: Generate keys

This creates a .env file with BLINDCAST_MASTER_KEY and BLINDCAST_SALT, then loads them into your shell. See blindcast keygen for details.
In production, store these in a secret manager. For this tutorial, a local .env file is fine.

Step 4: Encrypt the segments

The encrypted segments and rewritten manifest are in ./segments/encrypted/. The original segments are untouched.

Step 5: Start the key server

In one terminal:
The key server derives content keys from your master key and serves them to the player. See blindcast serve.

Step 6: Play the video

In a second terminal, serve the files and open the player:
Open http://localhost:3000/player.html in your browser. You should see the sample video playing — decrypted in real-time inside the browser.

What just happened?

  1. blindcast encrypt encrypted each .ts segment with AES-128-CBC and injected EXT-X-KEY tags into the manifest
  2. blindcast serve started a key server that derives content keys from your master key using HKDF
  3. The player (in player.html) fetched the manifest, requested the content key from the key server, and decrypted each segment in the browser
  4. Your server (the static file server and key server) never saw the plaintext video — only encrypted bytes

Next steps