Skip to main content
Feature

Zero-knowledge encryption, explained simply

“Zero-knowledge” means we have zero knowledge of what you share. Here's how SealFile guarantees that — not as a promise, but as a property of how the system is built.

What zero-knowledge actually means

Most file-sharing services encrypt your data, but they also hold the keys — so they can decrypt it whenever they (or an attacker, or a subpoena) need to. Zero-knowledge flips that: the keys never leave your device, so the service literally cannot read what it stores.

With SealFile, encryption and decryption happen in the browser. We receive encrypted blobs and encrypted metadata and nothing else. There is no master key, no backdoor, and no way for us to reverse it.

How SealFile implements it

When you add files, your browser generates a random 256-bit key and encrypts everything with AES-256-GCM. For a link-only share, that key is encoded into the URL fragment — the #part of the link, which browsers never transmit to a server. Your recipient's browser reads it from the fragment and decrypts locally.

Add a password and the key is instead wrapped using a key derived from your password with Argon2id (a deliberately slow, brute-force-resistant function). Either way, the secret needed to open your files never reaches us.

Encryption happens on your device

Files are encrypted with AES-256-GCM in your browser before a single byte is uploaded.

The key never reaches us

Keys live in the link fragment (or are derived from your password) — never transmitted to the server.

We only store ciphertext

Our servers hold encrypted blobs and encrypted metadata. There's nothing readable to leak or hand over.

Private by architecture

It's not a policy promise — we physically cannot read your files, because we never hold what's needed to.

Frequently asked questions

What does zero-knowledge encryption mean?

It means the service storing your data has zero knowledge of what it contains. Encryption and decryption happen entirely on your device, and the keys never leave it. The server only ever holds ciphertext it cannot decrypt.

How is the key kept away from the server?

For link-only shares, the encryption key is placed in the URL fragment — the part after the # symbol. By the HTTP specification, browsers never send the fragment to the server, so the key reaches your recipient without ever touching us.

What encryption algorithms does SealFile use?

AES-256-GCM for file and metadata encryption, Argon2id for password-based key derivation, and AES-KW for key wrapping — all via the browser's native Web Crypto API.

Can SealFile recover my files if I lose the link?

No. Because we never have the key, we cannot decrypt your files under any circumstances — not for you, not for anyone else. If the link (and password, if set) is lost, the data is unrecoverable.

Try zero-knowledge sharing

Encrypt a file in your browser and see for yourself — no account needed.