SecureStream is a browser-based, local-first file encryption tool designed to handle large files (up to 2GB and beyond) with minimal memory footprint.
- Privacy First: No files are uploaded to any server. Everything happens locally in your browser.
- Large File Support: Processes files in chunks (4MiB) to keep memory usage low.
- Modern Web Standards: Uses WebCrypto API and File System Access API for high performance and security.
- Secure by Design:
- Key Derivation: PBKDF2 (SHA-256, 310,000 iterations).
- Sub-key Expansion: HKDF.
- Encryption: AES-GCM (256-bit).
- Unique per-chunk IVs.
- Key Derivation: Your password is converted into a 256-bit master key using PBKDF2 with a unique salt.
- Sub-key Derivation: An encryption key is derived from the master key using HKDF.
- Encryption: The file is read in 4MiB chunks. Each chunk is encrypted using AES-GCM with a unique nonce derived from a base IV and the chunk index.
- Streaming: Encrypted data is streamed directly to your disk using the File System Access API (in Chrome/Edge) or a Service Worker-based streaming download (in Firefox).
- Magic:
FENC(4 bytes) - Version:
2(uint8) - KDF:
PBKDF2(uint8) - Iterations:
310,000(uint32) - Salt: 16 bytes
- Chunk Size: 4MiB (uint32)
- Total Size: uint64 (original size)
- IV Base: 12 bytes
- Filename: UTF-8 encoded
- Payload: Repeated chunks (plainLen, cipherLen, ciphertext+tag)
- Footer: Optional MAC (currently none, relying on AES-GCM per-chunk integrity)
- Chrome / Edge: Full support for files > 4GB via File System Access API.
- Firefox: Support for large files via Service Worker streaming.
- Safari / iOS: Limited support for large file streaming; may be restricted by memory limits or lack of specific APIs.
Just open index.html in a modern browser. For Service Worker functionality, serving via a simple static server (e.g., npx serve .) is recommended.