Security Practices

Security isn't just a feature - it's the foundation of everything we build.

Zero-Knowledge Architecture

Your files and passwords never leave your device. All encryption and decryption happens locally in your browser. We literally cannot access your data, even if compelled by law enforcement or court order - because we never have it.

Encryption Standards

AES-256-GCM

We use AES-256-GCM (Galois/Counter Mode), the same encryption standard used by governments and militaries worldwide. It provides both confidentiality and authenticity verification.

  • • 256-bit key length
  • • Authenticated encryption
  • • Tamper detection built-in

PBKDF2 Key Derivation

We derive encryption keys from your password using PBKDF2 with 100,000 iterations. This makes brute-force attacks computationally infeasible.

  • • 100,000 iterations
  • • Random salt per encryption
  • • SHA-256 hash function

Web Crypto API

All cryptographic operations use the browser's native Web Crypto API, which is implemented in the browser's compiled code, not JavaScript.

  • • Hardware-accelerated
  • • Browser-native implementation
  • • Secure key handling

Cryptographic Randomness

All random values (IVs, salts, passwords) are generated using crypto.getRandomValues(), which provides cryptographically secure random numbers.

  • • CSPRNG-based
  • • Operating system entropy
  • • Unpredictable output

Security Features

No Server Storage

Files are never uploaded to our servers. All processing happens in your browser's memory and is cleared when you close the page.

No Tracking of Encrypted Content

We don't log, analyze, or inspect any files you process. We don't even know what type of files you're encrypting.

Secure Password Handling

Your password is only used locally to derive encryption keys. It's never stored, transmitted, or logged anywhere.

HTTPS Only

Our website is served exclusively over HTTPS with TLS 1.3, ensuring your connection to us is encrypted.

Content Security Policy

We implement strict Content Security Policy headers to prevent XSS attacks and ensure no unauthorized scripts can run.

What We Can't Do

Important Limitations

  • Recover lost passwords: If you lose your encryption password, we cannot help you recover your files. There is no backdoor.
  • Access your encrypted files: We never have your files or encryption keys. Even under legal compulsion, we have nothing to provide.
  • Guarantee unbreakable encryption: While AES-256 is considered secure against all known attacks, no encryption is permanently unbreakable.
  • Protect against compromised devices: If your device has malware or keyloggers, they could capture your password before encryption.

Security Best Practices

Recommendations for Users

  • • Use strong, unique passwords (our password generator can help)
  • • Store passwords in a secure password manager
  • • Keep your browser and operating system updated
  • • Use a reputable antivirus/anti-malware solution
  • • Be cautious of phishing attempts
  • • Use 2FA on your accounts where possible
  • • Regularly backup important files before encryption

Have Security Concerns?

If you discover a security vulnerability, please report it responsibly. We take all security reports seriously.

Report a Vulnerability