Encrypt in the browser. Ship the ciphertext. Burn the link.

OBSCURA is a zero-knowledge file-transfer service. Files are encrypted in your browser with AES-256-GCM before they ever leave the page. The server stores ciphertext only — encryption keys never touch the wire — and shares self-destruct after a configurable read count or TTL.

send a file → how it works

how it works3 steps

01 · encrypt

in your browser

A random 256-bit key is generated in-page. Files are packed and run through AES-256-GCM via WebCrypto. Optional Argon2id passphrase wrap.

02 · upload

ciphertext only

The encrypted blob goes to a Cloudflare Worker. The key stays in the URL fragment (#k=…) — browsers never send fragments to servers.

03 · burn

TTL or read-count

Configurable expiry (up to 7 days) and download cap (1–100). When either fires, R2 is purged and KV forgets. Manual burn anytime.

trust postureverifiable

what we can see

Opaque ciphertext bytes
Total ciphertext size
Aggregate daily counters
Cloudflare-side IP logs (see privacy)

what we never see

Plaintext bytes — encrypted before upload
Encryption keys — in the URL fragment
Sender or recipient identity — no accounts
Filenames or content metadata in the clear

stackread the source

AES-256-GCM · WebCrypto Argon2id · m=64MiB · t=3 Cloudflare Workers + R2 + KV React 18 · SRI-pinned MIT · github

disclaimerread before relying on it

OBSCURA has not been independently security-audited, has no SLA or key-recovery, and is not appropriate for regulated data (HIPAA / PCI / CJIS / classified). Read the DISCLAIMER and privacy policy before using it for anything that matters.

launch · transparency · status · privacy · support · github