PassLok privacy app
JavaScript HTML CSS
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

PassLok Privacy

PassLok is a toolkit that implements public key cryptography and steganography to supplement ANY communications program.

These are the principles guiding the design of PassLok:

  • Perfect portability. Runs on any computer or mobile device.
  • Completely self-contained so it runs offline. No servers.
  • Nothing should be installed. No required secrets saved.
  • Highest-level security at every step. No compromises.
  • Easy to understand and use by novices. Graphical interface, as clean and simple as possible. No crypto jargon.

Because of this, PassLok is pure html code consisting mostly of JavaScript instructions. Its cryptography code is based on Tweet NaCl, also on GitHub. It uses XSalsa20 for symmetric encryption and elliptic curves (Curve25519 and Ed25519) for public-key functions.

PassLok was started as URSA, also by F. Ruiz, and developed privately up to version 1.3.03, made on 8/15/13. Commits on GitHub began seriously with this version. The engine was based on the SJCL library up to version 2.1.03, which has been forked out on this repository in order to preserve it.

These are the open source libraries used in PassLok, which can be found in the js-opensrc directory:

The PassLok original code is in directories js-head and js-body:

  • this only loads two word arrays: wordlist and blacklist: dictionary_en.js
  • Key and Lock functions: KeyLock.js
  • cryptographic functions: crypto.js
  • extra functions for mail, etc.: extra.js
  • error correction functions: errorCorrection.js
  • Shamir Secret Sharing Scheme: SSSS.js
  • text and image steganograghy: stego.js
  • local Directory functions: localdir.js
  • functions for switching screens, etc.: switching.js
  • special functions that work only with Chrome apps and extensions: Chromestuff.js
  • window reformatting, special functions: bodyscript.js
  • initialization, button connections: initbuttons.js

Two components run inside iframes and are served from different sources. They are not included here because we use Phonegap so generate automatically some versions from this repo, and they should not contain that code. Those components are:

Full documentation can be found at: including:


Copyright (C) 2018 Francisco Ruiz

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see


PassLok contains and/or links to code from a number of open source projects on GitHub, including the Tweet NaCl crypto library, and others.

Cryptography Notice

This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See for more information.

The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS), has classified this software as Export Commodity Control Number (ECCN) 5D002.C.1, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this distribution makes it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code.