Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

PolySafe

Embed any file into an encrypted, self-decrypting HTML file.

Features

  • Encryption and decryption happen locally in the browser
  • Encrypts arbitrary files (and their filename)
  • Decryptor supports almost all browsers released 2015 or later

Usage

Encryption

  1. Open a local or hosted copy of polysafe.html in your browser.
  2. Select a file, enter a long and complex password and click Encrypt.
  3. Store the encrypted, self-decrypting HTML file that will be downloaded.
  4. (Optional) Rename the HTML file if you want to keep the filename secret.

Decryption

  1. Open the generated HTML file in your browser.
  2. Enter the password and click Decrypt.
  3. The original file with its original filename will be downloaded.

Browser support

Decryptor

  • Firefox 34+ (Dec 2014)
  • Chrome 38+, tested: 46+ (Oct 2015)
  • Opera 29+ (Apr 2015)
  • Safari 10.1+ untested and Desktop-only

Encryptor

  • Any recent version of Firefox, Chrome, Opera or (Desktop) Safari

Security considerations

PolySafe relies on the following algorithms offered natively by the WebCrypto API and running directly in the browser:

  • Authenticated encryption: AES-GCM (128 bits with a cryptographically random IV)
  • Key derivation: PBKDF2 (200,000 rounds with a cryptographically random salt)

Combined with a high-entropy password, this algorithmic setup should be reasonably secure for most users and their data. However, not just because of the possibility of bugs and structural weaknesses in the implementation, there can be no guarantee whatsoever for the confidentiality of the processed data.

Note that PBKDF2 does not offer the same level of resistance against GPU- and ASIC-based attacks as more recent algorithms such as scrypt or Argon2. These algorithms are not supported by the WebCrypto API and would thus have made the implementation both more complex and much less efficient. Since "Never trust a random guy on GitHub" should come well before "Protect against dedicated adversaries with GPU clusters" in anyone's threat model, not supporting better key derivation algorithms is a trade-off I am willing to make.

License

MIT

About

Embed any file into an encrypted, self-decrypting HTML file

Topics

Resources

Releases

No releases published

Packages

No packages published

Languages