-
Notifications
You must be signed in to change notification settings - Fork 1
FAQ
A free, open-source tool that encrypts text and files into password-protected .zefer files using AES-256-GCM. Everything happens in your browser — no server ever stores, processes, or transmits your data. Share the encrypted file through any channel; only someone with the passphrase can open it.
Yes. Zefer is completely free and open source under the MIT license — no accounts, subscriptions, ads, or usage limits. You can also self-host it or use the official zefer-cli.
It uses AES-256-GCM authenticated encryption with PBKDF2-SHA256 key derivation (up to 1,000,000 iterations). It is zero-knowledge and 100% client-side: passphrases and keys never leave your device, there are no cookies or trackers, and security metadata (expiration, IP limits, secret question) is sealed inside the encrypted payload — not the public header. See Security Architecture.
No. No account, no email, no sign-up. Open the site, add your content, set a passphrase of at least 6 characters, and download the .zefer file.
A portable, password-protected encrypted file containing your content plus the salt and IV needed for decryption. To open it, upload it back to Zefer (or use the CLI / Library) and enter the correct passphrase. Without the passphrase it is unreadable. See Binary File Format.
Only the public header: format (ZEFB3/ZEFR3), content mode, PBKDF2 iterations, compression method, and any optional public hint/note. Expiration, IP allowlist, secret question, max attempts, and the content itself are sealed inside AES-256-GCM. Inspect any file with the .zefer File Analyzer.
It cannot be recovered. There is no backdoor, no reset, and no server-side copy — that is the point of zero-knowledge encryption. Use the Password Generator and Analyzer to create and store strong passphrases safely.
Yes — identical binary format and cryptographic parameters. A file encrypted in one opens in the others. See CLI, Library, MCP Server.
Files are processed in 16 MB chunks, and the limit is device-aware (based on RAM/CPU/GPU). High-end machines can handle multiple gigabytes; the /device page shows your machine's limit.
The content is always protected by AES-256-GCM. Expiration, IP allowlist, and max-attempts are policy checks enforced by the client at decryption time (stored encrypted inside the payload). They raise the bar but are not the same as the cryptographic confidentiality of the content. See Security Features.
Yes. zefer-cli exposes an MCP Server with five tools (encrypt, decrypt, keygen, analyze, inspect) that runs locally over stdio with zero telemetry.
Follow responsible disclosure via the Security Policy / the /security page — please don't open a public issue for vulnerabilities.
José Carrillo. The project is open source (MIT) at https://github.com/carrilloapps/zefer.
📖 Glossary — terms on this page: AES-256-GCM · PBKDF2 · zero-knowledge · public header · MCP · ZEFB3 / ZEFR3 · entropy. Full list in the Glossary.
📖 New to a term? See the Glossary. · Zefer · Repository · CLI · MIT © José Carrillo
Guides
- Getting Started
- How It Works
- Examples and Recipes
- Install and Self-Hosting
- Comparisons
- Troubleshooting
- FAQ
Security
Channels
Tools
Project
Reference