Wormhole

Security & Privacy

Your privacy is not a feature — it's the foundation. Learn how Wormhole protects your files with military-grade encryption.

How We Protect Your Files

AES-256-GCM Encryption

Your files are encrypted using AES-256-GCM, the same encryption standard used by governments, banks, and military organizations worldwide. This symmetric encryption algorithm is considered unbreakable with current technology.

Client-Side Key Generation

Encryption keys are generated entirely in your browser using the Web Crypto API. The key never leaves your device in its raw form — it's only shared as part of the URL fragment.

URL Fragment Security

The encryption key is stored in the URL fragment (after the #). By design, browsers never send URL fragments to servers. This means we literally cannot see your encryption keys.

Zero-Knowledge Architecture

We never see your files or encryption keys. Our servers only handle encrypted blobs and metadata needed for peer discovery. Even if our servers were compromised, your files would remain encrypted.

Encrypted Relay Storage

When you choose "Send & Close", files are stored encrypted on our servers. We only see encrypted bytes — without the key (in your URL), the data is unreadable gibberish to us.

Perfect Forward Secrecy

Each file transfer uses a unique encryption key. Even if one key were compromised, it couldn't be used to decrypt any other files you've shared.

What We Can and Cannot See

What we can see (metadata only)

  • File size (for display purposes)
  • File name (for display only)
  • Expiration settings you choose
  • Number of downloads
  • Encrypted bytes (unreadable without key)

What we cannot see (zero-knowledge)

  • Actual file contents
  • Encryption keys (stored in URL fragment)
  • Decrypted file data

Technical Specifications

Encryption Algorithm

AES-256-GCM

Advanced Encryption Standard with Galois/Counter Mode

Key Derivation

Web Crypto API

Cryptographically secure random key generation

Key Size

256 bits

2^256 possible combinations

IV (Initialization Vector)

96 bits

Unique per encryption operation

Authentication Tag

128 bits

Ensures data integrity

Transport

WebRTC (DTLS)

Encrypted peer-to-peer channel

Encryption Flow

1.
generateKey()CryptoKey

256-bit AES key generated in browser

2.
encrypt(file, key) → encryptedBlob

AES-256-GCM encryption with random IV

3.
share(encryptedBlob) via WebRTC

P2P transfer with DTLS encryption

4.
URL: wormhole.asifkibria.com/abc123#key=base64EncodedKey

Key in fragment (never sent to server)

5.
decrypt(encryptedBlob, key) → originalFile

Decryption happens in recipient's browser

Trust But Verify

Don't take our word for it. The encryption happens entirely in your browser using standard Web Crypto APIs. You can verify this by inspecting the source code or monitoring network traffic — you'll only see encrypted data leaving your device.

Ready to share securely?

Experience truly private file sharing.