How can I encrypt JavaScript code so that it's not decryptable?

Question

I have some JavaScript code I need to encrypt, but I want to be sure no one can decrypt it.

What tools can I use to do this?

-- Edit --

Answer 1

This is exactly DRM: you're giving the user a lock, and also the key to it, and expecting to be able to say what they can do with it.

It's theoretically impossible: if their computer can execute the code, it has to be unencrypted there.

It's practically impossible, too: look at everybody watching DVDs on Linux boxes to see how successful you can be.

Answer 2

Microsoft used to provide Script Encoder to encode your JavaScript (and ASP and VBScript etc.) but the encoded script only worked in Internet Explorer so it was a big no-no (link)

Nowadays only obfuscation is an option. But you can break any obfuscation with tools like the Online JavaScript Beautifier so your out of luck. You can minimize and you can obfuscate but you truly can't hide what you are doing.

The best minimizer/obfuscator is probably Google Closure Compiler - it's very advanced and might turn your code into something very hardly understandable.

Answer 3

While not actually encrypted, Yahoo's YUI Compressor will compress and obfuscate your JavaScript for normal use and provides better compression that JSMin.

Answer 4

What you want is theoretically and practically impossible. People will tell you here that it is not possible and you might think "Well, that's because nobody has tried hard enough". No. It's impossible in the same way that calculating the nth prime number in linear or constant time is impossible. It's impossible in the same way that the halting problem is impossible to solve. "What do you mean 2+2 doesn't equal five? You're not trying hard enough!"

Not only is it impossible though, but the motivations for wanting this sort of thing are normally pretty misguided. It's always a fundamental mistake to attempt to use technology to solve a problem that is fundamentally a legal problem. You want to protect your code from "pirates" or competitors, perhaps? It's not likely that you've written anything particularly worth stealing, but if you have, and you don't want people to steal it, then your only true recourse is the rule of law.

However, on a larger level, your problem is not likely going to be competitors or pirates stealing your code. Your problem is going to be business oriented: Gaining an audience through making a quality product, and the right price, and with sufficient marketing. You do that right, someone stealing your code doesn't matter. You do it right, and having the "authentic original" will appear to have real value. In fact, if you release your stuff open source, it can only really help you, because then you have an army of interested amateurs working for you for free, potentially. Piracy and reverse engineering is actually a godsend because it means people are interested enough in your product to want to improve it. The best thing is to do whatever you can to let that happen.

If your business really does depend on keeping some javascript secret, then you've basically made a mistake in your business plan at stage 1.

If your business is selling a javascript library (such things exist!), then you're no worse off than any other seller of software. The best thing to do is to market it towards honest businesses that have no problem with giving you money. The people that pirate your stuff had no intention of paying you anyway- and get the fundamental disadvantage that they don't get your technical support, or regular maintenance updates.

If this is not a business effort, then I really have no idea why you're even bothering. Proper credit?

Answer 5

What you're looking for is obfuscation, not encryption. There are tools such as JSMin and the YUI Compressor that will make your code very unreadable, to the point where no one would want to try to make sense of it. However, there is no way to make it so that someone can't copy and paste it onto their own website and run it there. I wouldn't worry about it, honestly, because you'd be wasting your time trying to protect something that can't be protected. Try putting all your "important" logic on the server-side, if possible, because that's the only foolproof way to do it. If the browser can access it, so can anyone else.

Answer 6

I think you're confusing encryption with compiled binary.

Not even commercial closed-source software such as Microsoft Office or Adobe Photoshop are encrypted for distribution. But they are compiled to native machine code, which makes them hard to reverse engineer.

JavaScript has no such thing as a compiled binary. But, as more and more browsers move to bytecode compilation to achieve faster performance, we may someday have a compiled JavaScript source format. Perhaps, analogous to Python's .py and .pyc files, maybe we'll have a .jsc or JavaScript Compiled file, that can be delivered to the browser in binary form, to run in its JavaScript virtual machine.

No such thing exists yet though. And even if it did, this is just a more intense obfuscation. Obfuscation is fine for preventing casual copying and sharing, but if you need really protect your intellectual property, move the logic server-side.