Portable Secret

Portable Secret is a free, open-source tool that creates self-contained HTML files that bundle encrypted content and the JavaScript needed to decrypt it locally in the browser. No server, account, or special app is required to open or decrypt.

What it does

• You add secret text and optional file attachments (notes, images, documents, archives, etc.).
• You set a password (and optionally a password hint).
• The tool generates one HTML file that contains:
• the encrypted payload (metadata + base64-encoded data),
• the decryption logic (JavaScript using Web Crypto APIs).
• The recipient opens the file in any modern browser, enters the password, and the content is decrypted in memory in the browser. No data is sent to any server.

Core promise

• One file: everything (payload + decrypt code) in a single HTML file.
• No accounts: no sign-up or login.
• No server for decryption: decryption is entirely client-side.
• Works offline: no network calls; you can open and decrypt with internet disconnected.
• Browser-native: only a browser is needed; no installs or plugins.

Security / crypto

• AES-GCM for payload encryption.
• Argon2id as the default key-derivation function (KDF) where supported; PBKDF2 as a browser-compatible fallback.
• Key is derived from the password in the browser; the file carries whichever KDF was used when it was created.
• No “forgot password”. If the password is lost, the data is unrecoverable (no master key or recovery flow).

Typical use cases

• Insecure-channel handoff: send the encrypted file (e.g. by email) and the password by another channel (e.g. Signal, in person).
• Digital emergency kit: store passwords, recovery phrases, emergency contacts, or instructions on a USB drive or in a safe place.
• Dead Man’s Switch payload: attach a Portable Secret to a Dead Man’s Switch so delivery is automated but the secret stays inside the encrypted file.
• Client credential handoff: send credentials without leaving them in Slack, Teams, or searchable chat.
• Cloud storage: encrypt private scans or records before uploading to cloud storage.

Open source and portability

• Source: github.com/alcazarsec/portable-secret
• Creator app: Portable Secret (alcazarsec.github.io/portable-secret/)
• The creator page can be saved as HTML and used fully offline (e.g. on an air-gapped machine); the unencrypted data need not touch disk or the network during the normal flow.

Comparison to password-protected ZIP

• Better compatibility: only a browser is needed.
• Stronger crypto defaults (e.g. AES-GCM, Argon2id/PBKDF2).
• Many ZIP flows are weaker or more cumbersome.
• Portable Secret can show decrypted content in the browser instead of only offering a download.