Offline file encryption that runs entirely in your browser.
No uploads.
No backend.
No accounts.
No tracking.
Just a file → a password → an encrypted container.
Password generator and entropy estimation are built directly into the UI.
- Encrypt any file into a single
.bytscontainer - AES-256-GCM authenticated encryption
- PBKDF2 key derivation (250,000 iterations)
- Built-in password generator
- Password strength + estimated entropy feedback
- Self-hosted zxcvbn model (no external requests)
- Fully offline operation after page load
ByteSeal encrypts any file into a single encrypted container (.byts)
using password-based encryption.
It is designed for:
- Encrypting files before storing in untrusted locations
- Moving files between devices safely
- Maintaining a simple offline encryption workflow
- Experimenting with client-side cryptography
It is intentionally small and scope-limited.
- Drop or select a file
- Generate or enter a strong password
- Review the strength / entropy feedback
- Download the encrypted
.bytscontainer
Decryption reverses the process and restores the original file.
All encryption happens locally in your browser using the Web Crypto API.
After the page loads, ByteSeal makes zero network requests.
- Unauthorized inspection of stored files
- Cloud storage providers
- Curious servers
- Intercepted encrypted containers
- Offline brute-force attempts (limited by password strength)
- The execution environment (browser + OS) is trusted
- The password has sufficient entropy
- Malware on your device
- Keyloggers
- Compromised browsers
- Weak or reused passwords
- Lost passwords (no recovery possible)
If the password is lost, the data is permanently unrecoverable.
- Key Derivation: PBKDF2 (SHA-256, 250,000 iterations)
- Encryption: AES-256-GCM (authenticated encryption)
- Randomness:
crypto.getRandomValues - Execution Model: 100% client-side
- Dependencies: None (uses Web Crypto API)
The PBKDF2 iteration count intentionally introduces delay to increase resistance against offline guessing.
AES-GCM ensures both confidentiality and integrity. Incorrect passwords or modified containers fail authentication.
ByteSeal includes a built-in password generator and password strength estimation to help users choose stronger passwords.
Strength feedback and estimated entropy are calculated locally using a bundled copy of zxcvbn.
This model runs entirely in the browser and does not require any external scripts, APIs, or network requests.
[ Plain header ]
- magic: "BYTESEAL" (8 bytes)
- version: 0x01
- salt: 16 bytes
- iv: 12 bytes
[ Encrypted payload (AES-256-GCM) ]
- metadata length (uint32, big-endian)
- metadata JSON (filename, MIME type)
- raw file bytes
All metadata is encrypted.
The format is self-describing and validated before decryption.
Full specification:
ByteSeal is intentionally:
- Offline-first
- Minimal
- Explicit
- Small attack surface
- Free of feature creep
It is not a platform.
It is a single-purpose encryption tool.
- Entire file processed in memory (browser limits apply)
- Very large files may fail on low-memory devices
- No streaming encryption
- No multi-file archive support
- No key management system
- No installation required
- Easy verification of source
- Works across platforms
- Low friction for non-technical users
ByteSeal prioritizes:
- Transparency over convenience
- Explicit cryptographic boundaries
- Versioned container formats
- Clear threat modeling
Consider giving the repo a star ⭐
It helps others discover the project.
MIT