LOCAL ENCRYPTION LAB

ZMath
Shield.

Lock a private note or file behind two independently derived, authenticated encryption layers. The entire workflow runs on this page—no account, upload or server recovery copy.

LOCAL ONLYAES-256-GCM × 2600,000 PBKDF2 ROUNDS PER LAYER
This vault is separate from automatic ZMath Mail.

Zmail webmail can automatically protect message bodies between ready Zmail devices. This page is the portable option for a note or file: only content you deliberately export as a .zmath vault receives its passphrase-and-pattern layers.

CREATE A VAULT

Protect it here. Keep it yours.

Add a note, a file up to 8 MB, or both. The encrypted .zmath export downloads automatically when both layers are complete.

CONTENTPASS LAYERPATTERN LAYER.ZMATH
Passphrase

Use at least 12 characters. Spaces and punctuation count; every character must be entered exactly when opening the vault.

Visual pattern

Select 6–9 different squares in a memorable order. Click the last selected square to undo it.

Choose 6–9 different squares
There is no reset button for encryption.

If either input is lost, Zmail cannot recover the content. Store the exported vault and remember both inputs separately.

Nothing leaves this browser.

KNOW THE BOUNDARY

Strong local cryptography, described honestly.

01

Two real encryption layers

The passphrase encrypts the content with AES-256-GCM. Its complete authenticated envelope is then encrypted again by a separately derived pattern key.

02

Independent derivations

Each layer uses a different random 256-bit salt, 600,000 PBKDF2-HMAC-SHA-256 rounds, a non-exportable 256-bit key and a random 96-bit IV.

03

Local by construction

This page contains no vault API. It uses browser file reads, Web Crypto and a local download; plaintext and inputs are not stored by Zmail.

04

Limits still matter

PBKDF2 is deliberately CPU-expensive, not memory-hard. A compromised browser or device could observe plaintext. Use a long unique passphrase and a pattern of 8–9 points when possible.