Capsule
An open standard for secure, client-side article encryption
Easy & Fast
Simple integration with any web stack. Pre-encrypt content at build time, decrypt instantly in the browser.
Secure by Design
Uses Web Crypto API with envelope encryption. Private keys never leave the browser, stored with extractable: false.
Open Standard
Language-agnostic specification. Implement in any languageβNode.js, PHP, Python, or Go.
No Dependencies
Works independently of CMS, authentication, or permission systems. Pure encryption, nothing else.
How It Works
Capsule implements Delegated Content Access (DCA) β a delegation protocol that separates content encryption (publisher) from access control (issuer). Publishers seal keys with ECDH P-256; issuers unseal them only when access is granted.
Publisher Encrypts
Content encrypted with AES-256-GCM. Keys sealed per issuer using ECDH P-256, with signed integrity proofs.
Embed in HTML
DCA data and sealed content embedded in inert template elements. Works with caching and CDNs.
Issuer Unlocks
Client sends sealed keys to the issuer. Keys returned via client-bound transport β RSA-OAEP wrapped with the browser's public key.
Decrypt Locally
Browser unwraps keys with its non-extractable private key stored in IndexedDB, then decrypts content locally.
Client-Bound Key Management
Capsule extends DCA with client-bound transport: each browser generates an RSA-OAEP key pair with the private key marked extractable: false. Unsealed keys are RSA-wrapped before leaving the issuer, so no readable key material ever crosses the network. Non-extractable keys prevent raw export of the private key, though injected scripts could still invoke crypto operations in-session. Pair this with a strict Content-Security-Policy and trusted-content practices to limit the attack surface further.
Read more in the DCA specification.