Lab

Saf file encryption

Encrypt and decrypt whole files locally. Files never leave your device.

JavaScript Required

Saf requires JavaScript to run in your browser. Please enable JavaScript to use this tool.

Local-only

Saf runs entirely in your browser using WebCrypto. No uploads, no network calls, and the encrypted file stays on your device.

What this is

A local file encryption tool that produces a self-describing .saf bundle using chunked AES-256-GCM. Files never leave your device.

Who it's for

Teams sharing sensitive exports or log bundles.
Security engineers moving incident artifacts safely.
Anyone who wants offline file encryption.

Encrypt any file into a .saf bundle (AES-256-GCM, local-only).

Drop a file or click to select Encrypted output will download as .saf

Passphrase (required)

Chunked AES-256-GCM encryption, 1 MB chunks. Each chunk uses a unique nonce.

Choose a file to begin.

SAF file format

SAF files start with the magic bytes SAF1 and a JSON header describing the original filename, size, chunk size, salt, and KDF parameters. Each encrypted chunk is stored with its ciphertext length so the file can be streamed safely.

Security model (30 seconds)

Files are encrypted locally with AES-256-GCM in 1 MB chunks. The passphrase is stretched with PBKDF2 and never leaves your device. Decryption requires the original passphrase and the .saf file header. No server-side secrets and no user tracking are used.