Alcazar · Technical Blog

Technical notes, architecture writeups, and release stories.

RSS feed

Published Feb 23, 2026

Portable Secret: encrypted files in one HTML

Sharing secrets with people outside your organization is surprisingly hard.

Password-protected zip files confuse non-technical users. Secure portals require accounts and maintenance. Messaging apps often violate compliance rules.

We wanted a solution that was boringly simple: one file, no accounts, no server dependency.

Portable Secret is a self-contained HTML file. It holds both the encrypted data and the code to decrypt it.

Update (2026-02-26): Portable Secret is now open source, and the creator tool is portable too. Read the announcement: Portable Secret: Now Open Source and Fully Local.

The Constraint

We set one hard rule: The recipient must be able to decrypt the file with only a browser and a password.

This drove every design decision. The key derivation must happen in the browser. The UI must work on slow devices. The format must be forward-compatible.

Inside the File

The generated HTML contains two HTML comments: a metadata block and a base64-encoded payload.

When you open the file, the embedded script:

  1. Reads the metadata.
  2. Asks for a password.
  3. Derives the encryption key.
  4. Decrypts the payload using AES-256-GCM.
  5. Renders the files for download.

No network calls occur. You can disconnect your internet and it still works.

Cryptography Choices

We support two key derivation functions (KDFs):

  • Argon2id: Hard against GPU attacks. Preferred for modern devices.
  • PBKDF2: The compatibility fallback.

We default to Argon2id but fall back to PBKDF2 if the device or browser is limited. This balances security with usability.

The UX of Encryption

Browser cryptography can be slow. If key derivation takes 10 seconds, the page looks frozen.

We solve this with calibration. Before we start, we run a quick test to estimate the device’s speed. We use this to show a realistic progress bar and a time estimate. Users will wait 30 seconds if they know it is working; they will close the tab if it looks dead.

Responsive Performance

Argon2id is heavy. Running it on the main thread freezes the UI.

We offload the derivation to a Web Worker whenever possible. This keeps the interface responsive while the heavy lifting happens in the background.

The Build System

We split the architecture.

  • Create: A full Svelte application builds the file.
  • Open: A lightweight, framework-free template handles decryption.

This keeps the resulting file small and robust. The recipient doesn’t need to download a framework to read a text message.

Summary

Portable Secret is a tactical tool. It doesn’t replace a secure collaboration platform, but it solves the immediate problem of sending a file securely to someone who doesn’t have an account.

It turns a security headache into a simple file transfer.

← Back to Tech Log

Leave the right message behind

Set up encrypted messages, files, and instructions for the people who would need them most if something happened to you.

See the dead man's switch