SDKs

The Encrypt pillar of the deniability infrastructure. Native deniable encryption in TypeScript, Rust, Go, and Python. Apache 2.0, cross-compatible wire format, zero copyleft. npm install deny-sh, cargo add deny-sh, pip install deny-sh, or go get github.com/deny-sh-crypto/deny-go. No HTTP dependency.

↓

Node.js / TypeScript

The reference implementation. The SDK runtime imports only node:crypto (built-in) and ships as a single 8.4 KB module with zero third-party runtime dependencies on the encrypt / decrypt / deny code path.

# Install
$ npm install deny-sh

# Usage
import { encrypt, decrypt, generateDeniableControl } from 'deny-sh';

const ct = encrypt(plaintext, { password1, password2, controlData });
const msg = decrypt(ct.ciphertext, { password1, password2, controlData });
const fake = generateDeniableControl(ct.ciphertext, password1, password2, fakePlaintext);

Note on the npm package layout. The deny-sh npm package ships the SDK plus optional CLI, Telegram bot, and server tooling in one repository so that npx deny-sh works from a fresh install. Those optional sub-packages have their own dependencies (see the dependencies field in package.json); they are loaded only when you run the CLI or bot binary, not when you import the SDK from your application code. Tree-shaking bundlers (esbuild, Vite, webpack) will leave them out of your final bundle.

Python

pycryptodome for AES, stdlib hashlib for scrypt. Algorithm-compatible with the TypeScript SDK. 59 tests.

# Install
$ pip install deny-sh

# Source: github.com/deny-sh-crypto/deny-python

# Usage
from deny_sh import encrypt, decrypt, generate_deniable_control

ct, control = encrypt(b"seed phrase", "pw1", "pw2")
msg = decrypt(ct, "pw1", "pw2", control)
fake_ctrl = generate_deniable_control(ct, "pw1", "pw2", b"decoy seed")

Go

golang.org/x/crypto for scrypt, stdlib crypto/aes for AES-CTR. Algorithm-compatible with the TypeScript and Python SDKs. 25 tests.

# Install
$ go get github.com/deny-sh-crypto/deny-go

# Source: github.com/deny-sh-crypto/deny-go

# Usage
import denysh "github.com/deny-sh-crypto/deny-go"

ct, ctrl, _ := denysh.Encrypt([]byte("seed phrase"), "pw1", "pw2", nil)
msg, _ := denysh.Decrypt(ct, "pw1", "pw2", ctrl)
fakeCtrl, _ := denysh.GenerateDeniableControl(ct, "pw1", "pw2", []byte("decoy seed"))

Rust

aes, ctr, scrypt, and sha2 crates. No unsafe code. Algorithm-compatible with the TypeScript SDK. 29 tests.

# Install
[dependencies]
deny-sh = "0.1"

# Source: github.com/deny-sh-crypto/deny-rs

# Usage
use deny_sh::{encrypt, decrypt, generate_deniable_control};

let (ct, ctrl) = encrypt(b"seed phrase", "pw1", "pw2", None).unwrap();
let msg = decrypt(&ct, "pw1", "pw2", &ctrl).unwrap();
let fake_ctrl = generate_deniable_control(&ct, "pw1", "pw2", b"decoy seed").unwrap();

Algorithm parity

All SDKs implement the same algorithm. A file encrypted with the Python SDK can be decrypted with Go or Rust. The ciphertext format is identical: salt(32) + iv(16) + AES-256-CTR(scrypt-derived key, LE32(plaintext_length) || plaintext XOR control_data).

Every SDK is Apache 2.0. Free for commercial and proprietary use. See /licensing for the application-layer split.