Encrypted Apache Parquet. Read it in the browser. Never uploaded.
Signet Forge is the post-quantum-ready, encrypted-Parquet companion library to Signet Core — a C++20 engine with a WebAssembly build that decodes and decrypts Parquet entirely client-side. It powers per-column encryption across Signet Lake, signing-trace embedding for Signet AI Governance, and tamper-evident columnar audit trails for the platform.
The demo below is the production WebAssembly build, served from the Signet Forge repository's GitHub Pages site. Your files never leave your machine — the decrypt and decode happen entirely client-side.
Your file stays in your browser — but your AES-256 key is yours alone to manage. If you lose it, the file is unrecoverable. That is the crypto-shred guarantee, not a bug. Save the key into a password manager before closing the terminal you generated it in, and make sure the AAD prefix you type into the demo matches the one used at encrypt time exactly. The full safety brief is below the demo.
Demo hosted at https://signetstack.github.io/SIGNET_FORGE/demo/. If the iframe is blocked in your environment, open it in a new tab.
Concrete proofs you can run today — each one ends in your browser, with no server roundtrip.
Drag a .csv onto the demo. A panel opens, generates a fresh AES-256 key for you (via crypto.getRandomValues), takes an AAD prefix, and the Encrypt & download .parquet button writes an encrypted Parquet straight back to your machine. A one-click Decrypt it here to verify button then re-feeds it through the decryption path with the same key + AAD pre-filled — closing the round trip without leaving the page.
Already have an encrypted Parquet? Tick Encrypted file (AES-256 PME), paste a footer key (64 hex chars) and optional column key, then drop the file. From there: Download .parquet saves the original bytes (encrypted files stay encrypted — safe to forward), and Download CSV / Download JSON export the decrypted rows. All client-side, no network round-trip.
Open the encrypted-file flow →One drop loads the bundled sample.parquet from the demo, or any Parquet from your machine — schema, row groups and a paged preview render in under a second; nothing leaves your browser.
Signet Forge gives you real cryptographic guarantees. That cuts both ways: when the system says a file is unrecoverable, it really is. These are the seven things every user should know before encrypting their first file.
Use openssl rand -hex 32 (or your platform's equivalent) for every file. Hand-typed or guessable keys collapse AES-256 to whatever your imagination is — usually a few bits of real entropy.
When you run KEY=$(openssl rand -hex 32), that 64-character hex string only exists in your shell's environment. Close the tab without copying it into a password manager (1Password, Bitwarden, pass) and the file becomes permanently unreadable. That is by design — it is the crypto-shred guarantee, not a bug.
If you encrypted with --aad-prefix "mydata-2026-05-31", you must type that exact string into the demo's AAD field. A capital letter, a missing dash, an extra space — any difference makes the GCM tag fail to verify, and there is no recovery path.
The demo keeps your file in the browser — no upload, no server, no telemetry — but the device itself still sees the plaintext after decryption. Don't use shared kiosks, active screen-sharing sessions, or machines with cross-device clipboard sync turned on while you paste keys.
Treat an AES-256 key the way you'd treat a password: send it through a password-manager share, a Signal / age / GPG-encrypted channel, or a vault — never inline in a message that gets logged, indexed or back-up-synced in plaintext.
The hosted demo loads its JS and WebAssembly from this site for convenience. For regulated PII / financial / health data, build the CLI or library locally with -DSIGNET_ENABLE_COMMERCIAL=ON so the entire compile, key-handling and storage surface stays inside your trust boundary.
The Download .parquet button is a passthrough — it writes the exact bytes you uploaded. An encrypted file stays encrypted on disk and is safe to email, attach or upload to shared storage. But sharing the file does not share the key — the recipient still needs the footer key, optional column key, and the same AAD prefix to decrypt. Send those separately, through a different channel.
Found a real cryptographic or implementation issue? Use the coordinated-disclosure path in SECURITY.md on the Forge repository — please don't open a public issue.
The browser demo above handles single-file, interactive use. For scripted pipelines, batch jobs, or anything you want under version control, the signet_cli binary gives you the same encrypted round trip on the command line.
cd /path/to/SIGNET_FORGE
cmake --preset release -DSIGNET_ENABLE_COMMERCIAL=ON
cmake --build --preset release --target signet_cli
# binary at build/signet_cliKEY=$(openssl rand -hex 32)
echo $KEY # SAVE THIS to a password manager NOW./build/signet_cli convert mydata.csv mydata.parquet \
--encrypt \
--footer-key $KEY \
--column-key $KEY \
--aad-prefix "mydata-YYYY-MM-DD"$KEY into both the footer and column key fields, type the exact same AAD prefix, then drop the .parquet file. Decryption happens entirely in your browser.-DSIGNET_ENABLE_COMMERCIAL=ON turns it on for your local build only — it does not change the licence of the repository or your obligations under it. See LICENSE_COMMERCIAL on the Forge repository for commercial-use terms. (The hosted WebAssembly demo is already built with the commercial flag — you don't need it for the in-browser flow above.)Modular column-level encryption (PME) layered on Apache Parquet — encrypt some columns, leave others in the clear, decrypt with the keys you control.
AES-256-GCM today, with a clean migration path to NIST-standardized post-quantum primitives (ML-KEM, ML-DSA) — so records you write today survive the quantum era.
A WebAssembly build runs the decrypt+decode path entirely client-side: the file never leaves the user's machine — no upload, no server, no telemetry.
C++20 core, no Apache Arrow or third-party Parquet runtime — every byte that touches your data is in this one repo, auditable end-to-end.
Footer KeyValue metadata carries signing traces, lineage tokens and policy IDs end-to-end — the file is the record of record.
Source-available under the Forge Source-Available License for inspection; commercial terms for production use — see the repo.