How It Works
Security & Technical Details
Overview
CrypClip is a zero-knowledge encryption tool that runs entirely in your browser. When you encrypt a message, the cryptographic operations happen locally on your device. Your plaintext message and password never leave your computer.
The Encryption Process
You Enter Your Message
Type or paste your message into the text area. This message stays in your browser's memory.
You Choose a Password
Enter a strong password (minimum 8 characters). This password is used to derive the encryption key.
OpenPGP.js Encrypts Locally
The OpenPGP.js library creates an encrypted message using industry-standard PGP encryption with AES-256.
You Share the Encrypted Result
Copy the encrypted message or use the shareable URL. Only someone with the password can decrypt it.
Technical Details
Encryption Algorithm
AES-256 (Advanced Encryption Standard with 256-bit key). This is the same standard used by governments and financial institutions worldwide.
Key Derivation
Your password is processed using iterated and salted S2K (String-to-Key) as specified in the OpenPGP standard (RFC 4880). This makes brute-force attacks computationally expensive.
Message Format
Encrypted messages use standard PGP ASCII Armor format, which is compatible with other PGP tools like GPG, Kleopatra, and various email clients.
Library
OpenPGP.js v6 - An open-source, audited JavaScript implementation of the OpenPGP standard. The source code is publicly available for review.
Why CrypClip Is Safe
100% Client-Side Processing
All encryption and decryption happens in your browser using JavaScript. Your unencrypted data never touches our servers because there are no servers processing your data.
No Data Storage
CrypClip doesn't use databases, cookies, or local storage to save your messages. When you close the page, everything is gone from memory.
No Analytics or Tracking
We don't use Google Analytics, Facebook Pixel, or any other tracking scripts. Your privacy is absolute.
Share URLs Use Hash Fragments
When you generate a shareable URL, the encrypted data is placed after the # symbol. Hash fragments are never sent to web servers - they stay in your browser.
Open Source Library
OpenPGP.js is open source and has been audited by security researchers. You can inspect the code yourself on GitHub.
Content Security Policy
CrypClip uses strict CSP headers to prevent cross-site scripting (XSS) attacks and unauthorized code execution.
Verify It Yourself
Don't just take our word for it. Here's how you can verify that CrypClip works as described:
1. Check Network Traffic
Open your browser's Developer Tools (F12), go to the Network tab, and encrypt a message. You'll see that no network requests are made during encryption or decryption.
2. Work Offline
After loading the page, disconnect from the internet. CrypClip continues to work perfectly because everything runs locally.
3. Inspect the Source Code
View the page source (Ctrl+U) or check the JavaScript in Developer Tools. The code is not obfuscated and you can see exactly what it does.
4. Test with Other PGP Tools
Encrypt a message with CrypClip, then decrypt it using GPG command line or another PGP tool. The output will be identical, proving we use standard encryption.
Security Best Practices
Use Strong Passwords
Choose passwords that are at least 12 characters long with a mix of uppercase, lowercase, numbers, and symbols.
Share Passwords Securely
Never send the password through the same channel as the encrypted message. Use a different medium (e.g., phone call, separate messaging app).
Beware of Phishing
Always verify you're on www.crypclip.com. Bookmark the site to avoid typosquatting attacks.
Use Private Devices
Avoid using public computers or shared devices for sensitive communications. Your browser history and memory could be accessed.
Frequently Asked Questions
Can you decrypt my message if I forget the password?
No. We don't have access to your password or your original message. If you forget the password, the encrypted data cannot be recovered. This is by design - it's what makes the encryption secure.
Is this as secure as using GPG on my computer?
CrypClip uses the same OpenPGP standard and AES-256 encryption as GPG. The main difference is that browser-based tools have a slightly larger attack surface (e.g., malicious browser extensions). For most users, CrypClip provides excellent security. For nation-state level threats, dedicated desktop software may be preferable.
Why should I trust CrypClip?
You don't have to trust us - that's the point. The encryption library is open source and audited. You can verify our claims by checking network traffic, working offline, and testing with other PGP tools. We've designed the system so that even if we wanted to, we couldn't access your data.
What happens to my message after I close the browser?
It's gone. CrypClip doesn't save anything to disk or to any server. The message only exists in your browser's memory while the page is open.
Can government agencies decrypt my messages?
AES-256 encryption is considered unbreakable with current technology. Government agencies cannot mathematically break the encryption. However, they could potentially compromise your device, password, or the recipient's device. Encryption protects data in transit, not against compromised endpoints.