-
Notifications
You must be signed in to change notification settings - Fork 1
Getting Started
This guide walks you through encrypting and decrypting your first secret with the Zefer web app. No installation or account is required — open the site and go.
- A modern browser with Web Crypto API support (Chrome, Edge, Firefox, Safari, Brave, etc.). Practically every browser from the last several years qualifies.
- That's it. Nothing is installed; nothing is uploaded.
- Open https://zefer.carrillo.app (or go directly to
/?t=encrypt). - Make sure the Encrypt tab is selected and choose Text mode.
- Type or paste your secret (an API key, a note, credentials, etc.).
- Set a passphrase of at least 6 characters. A strength meter shows weak → fair → good → strong.
- (Optional) Choose an expiration, compression, the PBKDF2 strength, or any advanced option (see Security Features).
- Click Encrypt & download. A
secret.zeferfile is generated locally and downloaded to your device.
- Select File mode on the Encrypt tab.
- Click the drop zone or drag and drop a file onto it.
- Set a passphrase and any options, then Encrypt & download.
- You receive
<your-file>.zefer. The original file name and MIME type are stored inside the encrypted payload, so they are restored on decryption.
Large files are processed in 16 MB chunks (each with a unique IV), so very large files encrypt without exhausting memory. See Binary File Format and Architecture and Tech Stack for device-aware file-size limits.
A .zefer file is just an encrypted blob. Send it through any channel — email, chat, a shared drive, SMS. Without the correct passphrase it is unreadable. The recipient never needs an account.
- Open
/?t=decrypt(or switch to the Decrypt tab). -
Upload or drag the
.zeferfile. - Enter the passphrase (and a second passphrase, secret-question answer, etc., if the file requires them).
- Zefer re-derives the key, verifies the authentication tag, checks expiration and any access rules, then shows or downloads the decrypted content.
If the passphrase is wrong, decryption fails without revealing any information. If the file has expired or an access rule (IP allowlist, max attempts, secret question) is not satisfied, access is denied.
Every form reads query parameters on load, so you can pre-fill or fully automate a flow:
/?t=decrypt&p=myPassphrase
/?t=encrypt&m=file&ttl=30&c=gzip&s=high
Sensitive parameters (p, p2, r, a) are auto-cleared from the URL after they are read. See URL Parameters for the full list.
The same engine and .zefer format are available from the CLI, an MCP Server for AI agents, and a Library you can import into Node.js code.
- How It Works — the full step-by-step flow.
- Security Features — expiration, dual key, reveal key, secret question, IP allowlist.
- Security Architecture — the cryptography behind it all.
📖 Glossary — terms on this page: zero-knowledge · client-side · AES-256-GCM · chunk · reveal key · dual passphrase. Full list in the Glossary.
📖 New to a term? See the Glossary. · Zefer · Repository · CLI · MIT © José Carrillo
Guides
- Getting Started
- How It Works
- Examples and Recipes
- Install and Self-Hosting
- Comparisons
- Troubleshooting
- FAQ
Security
Channels
Tools
Project
Reference