Data flow
Key hierarchy
All encryption keys derive from a single master key using HKDF-SHA-256. You store and protect one secret — everything else is derived deterministically.- Master key: Generated once with
blindcast keygen. Stored in a secret manager. Never sent to browsers. - Content key: Derived per
contentId. The key server issues this to authenticated viewers. - Segment key (optional): Derived per epoch for key rotation. The manifest includes a new
EXT-X-KEYtag every N segments.
What each tool does
| Tool | Responsibility | Runs on |
|---|---|---|
| CLI | Generate keys, encrypt segments, upload to S3, run dev server | Your machine or CI |
| Uploader | Encrypt segments in-browser, upload via presigned URLs | Creator’s browser |
| Key Server | Authenticate viewers, derive and serve content keys | Docker container or Cloudflare Worker |
| Player | Fetch manifest, get key, decrypt segments, render video | Viewer’s browser |
Next steps
- Quick Start — see encrypted playback in ~10 minutes
- Zero-Knowledge Explained — understand the trust model