Table of Contents
Encrypt/decrypt anything in the browser using streams on background threads.
Quickly and efficiently decrypt remote resources in the browser. Display the files in the DOM, or download them with conflux.
| .decrypt | .encrypt | .saveZip |
Chrome | ✅ | ✅ | ✅ |
Edge >18 | ✅ | ✅ | ✅ |
Safari ≥14.1 | ✅ | ✅ | ✅ |
Firefox ≥102 | ✅ | ✅ | ✅ |
Safari <14.1 | 🐢 | 🐢 | 🟡 |
Firefox <102 | 🐢 | 🐢 | 🟡 |
Edge 18 | ❌ | ❌ | ❌ |
✅ = Full support with workers
🐢 = Uses main thread (lacks native WritableStream support)
🟡 = 32 MiB limit
❌ = No support
Importing Penumbra
With Yarn/NPM
yarn add @transcend-io/penumbra
npm install --save @transcend-io/penumbra
import { penumbra } from '@transcend-io/penumbra';
Vanilla JS
<script src="lib/main.penumbra.js"></script>
Check out this guide for asynchronous loading.
uses RemoteResource descriptors to specify where to request resources and their various decryption parameters.
type RemoteResource = {
url: string;
mimetype?: string;
filePrefix?: string;
decryptionOptions?: PenumbraDecryptionInfo;
path?: string;
requestInit?: RequestInit;
lastModified?: Date;
size?: number;
Fetch and decrypt remote files.
penumbra.get(...resources: RemoteResource[]): Promise<PenumbraFile[]>
Encrypt files.
penumbra.encrypt(options: PenumbraEncryptionOptions, ...files: PenumbraFile[]): Promise<PenumbraEncryptedFile[]>
type PenumbraEncryptionOptions = {
key: string | Buffer;
.encrypt() examples:
Encrypt an empty stream:
size = 4096 * 128;
addEventListener('penumbra-progress', (e) => console.log(e.type, e.detail));
addEventListener('penumbra-complete', (e) => console.log(e.type, e.detail));
file = penumbra.encrypt(null, {
stream: new Response(new Uint8Array(size)).body,
data = [];
file.then(async ([encrypted]) => {
console.log('encryption complete');
data.push(new Uint8Array(await new Response(;
Encrypt and decrypt text:
const te = new self.TextEncoder();
const td = new self.TextDecoder();
const input = '[test string]';
const buffer = te.encode(input);
const { byteLength: size } = buffer;
const stream = new Response(buffer).body;
const options = null;
const file = {
const [encrypted] = await penumbra.encrypt(options, file);
const decryptionInfo = await penumbra.getDecryptionInfo(encrypted);
const [decrypted] = await penumbra.decrypt(decryptionInfo, encrypted);
const decryptedData = await new Response(;
const decryptedText = td.decode(decryptedData);
console.log('decrypted text:', decryptedText);
Get decryption info for a file, including the iv, authTag, and key. This may only be called on files that have finished being encrypted.
penumbra.getDecryptionInfo(file: PenumbraFile): Promise<PenumbraDecryptionInfo>
Decrypt files.
penumbra.decrypt(options: PenumbraDecryptionInfo, ...files: PenumbraEncryptedFile[]): Promise<PenumbraFile[]>
const te = new TextEncoder();
const td = new TextDecoder();
const data = te.encode('test');
const { byteLength: size } = data;
const [encrypted] = await penumbra.encrypt(null, {
stream: data,
const options = await penumbra.getDecryptionInfo(encrypted);
const [decrypted] = await penumbra.decrypt(options, encrypted);
const decryptedData = await new Response(;
return td.decode(decryptedData) === 'test';
Save files retrieved by Penumbra. Downloads a .zip if there are multiple files. Returns an AbortController that can be used to cancel an in-progress save stream. PenumbraFile[], fileName?: string): AbortController
Load files retrieved by Penumbra into memory as a Blob.
penumbra.getBlob(data: PenumbraFile[] | PenumbraFile | ReadableStream, type?: string): Promise<Blob>
Get file text (if content is text) or URI (if content is not viewable).
penumbra.getTextOrURI(data: PenumbraFile[]): Promise<{ type: 'text'|'uri', data: string, mimetype: string }[]>
Save a zip containing files retrieved by Penumbra.
type ZipOptions = {
name?: string;
size?: number;
files?: PenumbraFile[];
controller?: AbortController;
allowDuplicates: boolean;
compressionLevel?: number;
saveBuffer?: boolean;
onProgress?(event: CustomEvent<ZipProgressDetails>): void;
onComplete?(event: CustomEvent<{}>): void;
penumbra.saveZip(options?: ZipOptions): PenumbraZipWriter;
interface PenumbraZipWriter extends EventTarget {
write(...files: PenumbraFile[]): Promise<number>;
close(): Promise<number>;
abort(): void;
getBuffer(): Promise<ArrayBuffer>;
getFiles(): string[];
getSize(): Promise<number>;
type ZipProgressDetails = {
percent: number | null;
written: number;
size: number | null;
const files = [
url: '',
name: 'tortoise.jpg',
mimetype: 'image/jpeg',
decryptionOptions: {
key: 'vScyqmJKqGl73mJkuwm/zPBQk0wct9eQ5wPE8laGcWM=',
iv: '6lNU+2vxJw6SFgse',
authTag: 'ELry8dZ3djg8BRB+7TyXZA==',
const writer = penumbra.saveZip();
await writer.write(...(await penumbra.get(...files)));
await writer.close();
Configure the location of Penumbra's worker threads.
penumbra.setWorkerLocation(location: WorkerLocationOptions | string): Promise<void>
Display encrypted text
const decryptedText = await penumbra
url: '',
mimetype: 'text/plain',
filePrefix: 'NYT',
decryptionOptions: {
key: 'vScyqmJKqGl73mJkuwm/zPBQk0wct9eQ5wPE8laGcWM=',
iv: '6lNU+2vxJw6SFgse',
authTag: 'gadZhS1QozjEmfmHLblzbg==',
.then((file) => penumbra.getTextOrURI(file)[0])
.then(({ data }) => {
document.getElementById('my-paragraph').innerText = data;
Display encrypted image
const imageSrc = await penumbra
url: '',
filePrefix: 'tortoise',
mimetype: 'image/jpeg',
decryptionOptions: {
key: 'vScyqmJKqGl73mJkuwm/zPBQk0wct9eQ5wPE8laGcWM=',
iv: '6lNU+2vxJw6SFgse',
authTag: 'ELry8dZ3djg8BRB+7TyXZA==',
.then((file) => penumbra.getTextOrURI(file)[0])
.then(({ data }) => {
document.getElementById('my-img').src = data;
Download an encrypted file
url: '',
filePrefix: 'africa',
mimetype: 'image/jpeg',
decryptionOptions: {
key: 'vScyqmJKqGl73mJkuwm/zPBQk0wct9eQ5wPE8laGcWM=',
iv: '6lNU+2vxJw6SFgse',
authTag: 'ELry8dZ3djg8BRB+7TyXZA==',
.then((file) =>;
Download many encrypted files
url: '',
filePrefix: 'africa',
mimetype: 'image/jpeg',
decryptionOptions: {
key: 'vScyqmJKqGl73mJkuwm/zPBQk0wct9eQ5wPE8laGcWM=',
iv: '6lNU+2vxJw6SFgse',
authTag: 'ELry8dZ3djg8BRB+7TyXZA==',
url: '',
mimetype: 'text/plain',
filePrefix: 'NYT',
decryptionOptions: {
key: 'vScyqmJKqGl73mJkuwm/zPBQk0wct9eQ5wPE8laGcWM=',
iv: '6lNU+2vxJw6SFgse',
authTag: 'gadZhS1QozjEmfmHLblzbg==',
url: '',
filePrefix: 'tortoise',
mimetype: 'image/jpeg',
.then((files) =>{ data: files, fileName: 'example' }));
Prepare connections for file downloads in advance
const resources = [
url: '',
filePrefix: 'NYT',
mimetype: 'text/plain',
decryptionOptions: {
key: 'vScyqmJKqGl73mJkuwm/zPBQk0wct9eQ5wPE8laGcWM=',
iv: '6lNU+2vxJw6SFgse',
authTag: 'gadZhS1QozjEmfmHLblzbg==',
url: '',
filePrefix: 'tortoise',
mimetype: 'image/jpeg',
decryptionOptions: {
key: 'vScyqmJKqGl73mJkuwm/zPBQk0wct9eQ5wPE8laGcWM=',
iv: '6lNU+2vxJw6SFgse',
authTag: 'ELry8dZ3djg8BRB+7TyXZA==',
Encrypt/Decrypt Job Completion Event Emitter
You can listen to encrypt/decrypt job completion events through the penumbra-complete
({ detail: { id, decryptionInfo } }) => {
`finished encryption job #${id}%. decryption options:`,
Progress Event Emitter
You can listen to download and encrypt/decrypt job progress events through the penumbra-progress
({ detail: { percent, id, type } }) => {
console.log(`${type}% ${percent}% done for ${id}`);
Note: this feature requires the Content-Length
response header to be exposed. This works by adding Access-Control-Expose-Headers: Content-Length
to the response header (read more here and here)
On Amazon S3, this means adding the following line to your bucket policy, inside the <CORSRule>
Configure worker location
base: '/penumbra-workers/',
penumbra: 'worker.penumbra.js',
StreamSaver: 'StreamSaver.js',
penumbra.setWorkerLocation({ penumbra: 'worker.penumbra.js' });
Waiting for the penumbra-ready
<script src="lib/main.penumbra.js" async defer></script>
const onReady = async ({ detail: { penumbra } } = { detail: self }) => {
await penumbra.get(...files).then(;
if (!self.penumbra) {
self.addEventListener('penumbra-ready', onReady);
} else {
Querying Penumbra browser support
You can check if Penumbra is supported by the current browser by comparing penumbra.supported(): PenumbraSupportLevel
with penumbra.supported.levels
if (penumbra.supported() > penumbra.supported.levels.possible) {
enum PenumbraSupportLevel {
none = -0,
possible = 0,
size_limited = 1,
full = 2,
Penumbra is compiled and bundled on npm. The recommended use is to copy in the penumbra build files into your webpack build.
We do this with copy-webpack-plugin
const fs = require('fs');
const CopyPlugin = require('copy-webpack-plugin');
const path = require('path');
const PENUMBRA_DIRECTORY = path.join(
module.exports = {
plugins: [
new CopyPlugin({
patterns: fs.readdirSync(PENUMBRA_DIRECTORY)
.filter((fil) => fil.indexOf('.') > 0)
.map((fil) => ({
from: `${PENUMBRA_DIRECTORY}/${fil}`,
to: `${outputPath}/${fil}`,
yarn build
yarn test:local
yarn test:interactive
![FOSSA Status](