Alcazar · Technical Blog

Technical notes, architecture writeups, and release stories.

RSS feed

Published Feb 26, 2026

Portable Secret: Now Open Source and Fully Local

Sharing passwords or sensitive files with people outside your team is painful.

Secure portals require accounts. Zip files confuse people. Chat apps retain history you don’t want kept.

We built Portable Secret to solve this. It generates a single HTML file containing your encrypted data and the code to decrypt it. You send the file, share the password via another channel, and the recipient opens it in their browser. No accounts, no servers, no dependencies.

Today, we are releasing the project as open source on GitHub. You can audit the code, fork it, or host it yourself.

The Tool is Now Portable Too

The generated secret files have always been self-contained. But until now, the tool to create them was a standard web application hosted on a server.

For the open source release, we changed how we build the application. We switched the SvelteKit adapter to “inline” mode.

This means the creator tool itself compiles into a single HTML file. You can go to the live tool, save the page as HTML, and keep it on a USB drive. You can generate secrets completely offline, on an air-gapped machine, without ever hitting our servers.

How It Works

The security model is simple and browser-native.

  1. Local Encryption: When you add files or text, the browser encrypts them using AES-256-GCM.
  2. Key Derivation: We use Argon2id (or PBKDF2 as a fallback) to derive the encryption key from your password. This makes brute-force attacks significantly harder.
  3. The Payload: The encrypted data is bundled with a lightweight decryption template into a single .ps.html file.

When the recipient opens the file, the browser derives the key again and decrypts the content in memory. The unencrypted data never touches a disk or a network.

Why Open Source?

Trust is the most important feature of a security tool. You shouldn’t have to take our word that we aren’t uploading your secrets.

By opening the code, we allow anyone to verify that:

  • No network requests are made during encryption or decryption.
  • The cryptography implementation follows standards.
  • Your data stays on your device.

Check out the repository or try the live tool. It is a simple solution for a complex problem.

← Back to Tech Log