Secure encryption of text by password, using the same password for decryption. AES256-GCM authenticated encryption keeps your data secure and Argon2 allows for shorter passwords to stay uncracked. Nothing is sent to any server, everything stays in your browser.
I wrote this application to learn modern web technologies (Web Workers, Web Assembly, PWAs) as well as modern cryptography, and also because there didn't appear to be easily usable existing solutions.
OpenSSL and Veracrypt use weak password hashing, and aren't very practical for encrypting short texts. PGP is insecure outdated technology and very cumbersome to use. This service does not use public keys, only a shared password.
Offline mode
May be installed as a desktop app, so that it works completely offline. For security reasons, browsers offer this option only once you have visited this site on two different days.
This app has cached all its files locally on your device. If a new version is available, this button will upgrade to it.
Version 0 ciphertext format
Salt/nonce
(16 random bytes)
AES256-GCM authenticated encryption
(plaintext length + 16 bytes tag)
The initial 16 bytes are random numbers used as Argon2 salt, to avoid producing the same encryption key even if a password is reused. Argon2 is performed using this raw binary salt and UTF-8 encoded password to output a 32-byte hash used as AES256 key. The first 12 bytes are also used as nonce for the AES-GCM algorithm. Since new random salt is created every time something is encrypted, the output will be completely different even if the message and the password stay the same.
{time: 8, mem: 102400, hashLen: 16, parallelism: 1, type: 2}
Argon2 hash settings are hard-coded as above. This allows for roughly one cracking attempt per second, per CPU. Hashing in browser or smartphones takes a few seconds.
The base64 format is simply a standard encoding of that raw binary data. Like the binary file, it looks like any random data, unless the proper password is known, although a base64 string pasted on a message board might be more suspicious than a raw binary file hidden among other nondescript files.
Limitations
No padding is added, so the encrypted binary is always precisely 32 bytes longer than the plaintext. If this is a concern, add spaces or other padding to your message to obscure its true length.
The current format is as simple as possible, producing short yet deniable ciphertext. Possibly other formats may be devised in the future with more features, and by the design they are necessarily incompatible, as any change in Argon2 parameters, for instance, would require multiple decryption attempts to find the correct settings. I do intend to keep support for decrypting version 0 in any case.
Although the current algorithm is perfectly fine with binary data, the web application has no support for encrypting files. Sensitive unencrypted data should not be stored in files on disk, as the data will normally be left there after the file is deleted.
Password quality indicator
The zxcvbn library is used in the password widget. Cracking times assume 10 attempts per second and that the attacker can use smart dictionary attacks rather than just brute force all possible character combinations. Cloud-based attacks or supercomputers might allow for much faster cracking if the attacker spares no expenses.