ZMath
Shield.
Lock a private note or file behind two independently derived, authenticated encryption layers. The entire workflow runs on this page—no account, upload or server recovery copy.
Zmail webmail can automatically protect message bodies between ready Zmail devices. This page is the portable option for a note or file: only content you deliberately export as a .zmath vault receives its passphrase-and-pattern layers.
Protect it here. Keep it yours.
Add a note, a file up to 8 MB, or both. The encrypted .zmath export downloads automatically when both layers are complete.
Two correct inputs. One private result.
Select a ZMath Shield vault, then enter the same passphrase and pattern. The outer pattern layer opens first; the inner passphrase layer follows.
Strong local cryptography, described honestly.
Two real encryption layers
The passphrase encrypts the content with AES-256-GCM. Its complete authenticated envelope is then encrypted again by a separately derived pattern key.
Independent derivations
Each layer uses a different random 256-bit salt, 600,000 PBKDF2-HMAC-SHA-256 rounds, a non-exportable 256-bit key and a random 96-bit IV.
Local by construction
This page contains no vault API. It uses browser file reads, Web Crypto and a local download; plaintext and inputs are not stored by Zmail.
Limits still matter
PBKDF2 is deliberately CPU-expensive, not memory-hard. A compromised browser or device could observe plaintext. Use a long unique passphrase and a pattern of 8–9 points when possible.