End-to-end encryption using built-in browser functionality
I am an advocate of private communication and I have made this tool to encourage it. Use it to establish a 44-character password that you can use to encrypt further communication. For an introduction, read my article Diffie-Hellman for the Layman.
By exchanging special
The page resets on every refresh and nothing is saved. Keep it open until you are finished. For example, if your goal is to establish a new password with another person, then do not close this page until you get it.
Use the "Save Backup" feature to store page's state in a file. If you have saved a backup file you can close this page, but remember to restore its state from backup when you reopen it.
Follow these steps to agree on a shared password with another person:
Save the full password in a safe place (e.g. your password manager).
For encryption purposes use the full password. If you only need a login password, use the shortened one.
Both of you should see the same shared password. Verify this using the check digits shown above.
Comparing check digits also verifies that you are communicating with the right person, and it is best to text them to his phone. The check digits are not confidential.
You can only decrypt files that were encrypted with this tool.
Select files or folders up to 512 MB each.
The encryption key is automatically set to the shared password derived above. However, you can change it to any other value. The longer it is and the more cryptic it is, the better it is. Spaces will be ignored.
Note Whatever you fill here would not be saved in a backup file. Whenever you load a backup file, the value will be set to the shared password stored in the backup.
The check digits allow you to verify that you have the same encryption key as the other party with whom you are communicating.
Select interface level:
This page resets every time you visit it. It does not save anything in the browser, so if you wish to backup random values shown on this page, use the button bellow to save its state.
This page resets every time you visit it, resulting in a new password exchange. If you have previously created a backup file, load it now to restore the state of the page.
If you need to encrypt only a text message or a few files then use the encryption tools on this page. Otherwise package any number of documents in a password protected archive. Use the full shared password to encrypt the archive.
Use only archiving formats that offer strong encryption. For a Mac-to-Mac transfer use a DMG virtual disk image. For a Windows-to-Windows transfer use a BitLocker encrypted VHD virtual disk image. This way, the recipient of your archive would not need to install additional software to open it. Otherwise, use the free 7-zip archiver and ask the recipient to install it.
If you are on the receiving side of the file transfer, allow the sender to use his native software and install software on your own OS to decrypt the archive. For instance, a Windows user can create a BitLocker VHD and send to you, a Mac user. Install BitLocker software for Mac to open it.
For cloud file sharing such as Dropbox or Google Drive, use the derived password with Cryptomator. For instance, create a Cryptomator vault inside Dropbox and share it with the other person, who would also need to install Cryptomator. For details on how to do it, see my accompanying Medium article.
You can also use an external hard drive or a thumb drive and format it as an encrypted file system. Use the derived shared password for the encryption. Then, store on the drive anything you wish and mail it by regular mail. This way you can transfer terabytes of data securely. Again, if the recipient has a different OS than you, use a cross platform drive encryption software and ask him to install it too. (Cryptomator would work well for this, but VeraCrypt would not because it is not user friendly.)
As mentioned in the Overview section, you do not have to trust that I am not storing your passwords. You can copy this entire web page and run it directly from your computer.
If you are using Google Chrome, copy this entire page using
When you save the page as "Webpage, Complete," the browser creates a support folder of the same name as the HTML file. This folder contains additional files that the HTML file needs. If you are going to move the HTML file elsewhere on your disk, be sure to remember to move the supporting folder to the same location as well.
You can verify this using the Network Inspector.
Execution starts with the
init function which is called
after all resources have been loaded. You can place a breakpoint in
the begining of it, refresh the page and clear the log in the Network Inspector.
Then, continue execution and observe that no new network requests
appear from then on.
The implementation uses Elliptic Curve Diffie-Hellman (ECDH) protocol based on the P-256 curve to establish a shared secret (the long password). The shared secret is 32 bytes long, and it is encoded in Base58 Bitcoin encoding.
The exchanged code includes user's operating system name and his ECDH public key. It is made as short as it can be, without compromising its selectability for copying and pasting. For this reason the public key is encoded in Base58 Bitcoin encoding, resulting in 45 alphanumberic characters. (The operating system is communicated to help users decide how to proceed with further communication. For instance, should they use a DMG archive or BitLocker?)
The ECDH public key is encoded as a compressed (x,y) coordinate. In the first byte of the compressed coordinate, the fourth and fifth bits are used to store the name of user's operating system. (In the standard representation these bits are zero, which this implementation would interpret as an unknown operating system.) For an explanation of the mathematics involved re coordinate compression see my Medium article Toward Shorter Encryption Keys.
The check digits, also known as a Short Authentication String (SAS), are the sum of the bytes module 10000 of the SHA-256 hash of the Base58-encoded secret.
The encryption form uses the AES-256 GCM cipher with tag length of 128. For every message, a random 12 byte nonce is generated and is used as the initalization vector for AES.
You can get a barebones page by copying everything between the two markers "START COPYING HERE" and "FINISH COPYING HERE" in the HTML source. I have a script that does that automatically, and you can see the result here.
All external links on this page have
rel="noopener" attribute to prevent
Tab Nabbing attacks.
I encourage you to host this code on your own trusted web host. This page has MIT license.