Decrypt Message
Your text will be decrypted in your browser. It never touches our servers.
How Text Decryption Works
Decryption mirrors the encryption process in reverse. Your encrypted text stays in your browser's memory and never touches our servers. Here's what happens when you click "Decrypt Message":
Parse Encrypted Data
Your encrypted text is Base64-decoded into binary data. The browser extracts the salt (16 bytes), IV (12 bytes), ciphertext, and authentication tag from the encrypted package.
Derive Decryption Key
Using the extracted salt and your password, the browser runs PBKDF2-SHA-256 with 100,000 iterations to derive the same 256-bit key that was used for encryption. Wrong password = wrong key = decryption fails.
Verify and Decrypt
AES-256-GCM verifies the authentication tag before decryption. If the ciphertext was tampered with or the password is wrong, the authentication check fails and decryption stops immediately. No partial decryption.
Display Original Message
If authentication passes, the ciphertext is decrypted and your original plaintext message is displayed. Identical to what was encrypted. If anything fails, you see "Wrong password or corrupted data" - by design.
Wrong Password: If you enter the wrong password, decryption will fail immediately. There is no password recovery. No hints. No backdoors. Write it down securely or use a password manager.
Tamper Detection: If anyone modified the encrypted text (even one character), the GCM authentication tag will fail and decryption stops. You get the original message or nothing.
Zero-Knowledge Architecture: Your encrypted text never leaves your browser. We don't see your ciphertext, your password, or your decrypted message. The server only delivers static files.
Why This Is Secure
Zero-Knowledge means exactly that:
- We don't see your encrypted text (never uploaded)
- We don't see your password (entered in your browser only)
- We don't see your decrypted message (displayed in your browser)
- We don't log when you decrypt (no analytics, no tracking)
- We can't decrypt your message even if we wanted to (we never receive it)
This isn't a privacy promise. It's a technical reality. The architecture makes it impossible for us to access your messages. Client-side encryption isn't just more private - it's the only way to guarantee privacy.