OBSCURAv0.1.2
zero-knowledge file transferephemeral · open source
Encrypt in the browser. Ship the ciphertext. Burn the link.
OBSCURA is a zero-knowledge file-transfer service. Files are encrypted in your browser with AES-256-GCM before they ever leave the page. The server stores ciphertext only — encryption keys never touch the wire — and shares self-destruct after a configurable read count or TTL.
how it works3 steps
01 · encrypt
in your browser
A random 256-bit key is generated in-page. Files are packed and run through AES-256-GCM via WebCrypto. Optional Argon2id passphrase wrap.
02 · upload
ciphertext only
The encrypted blob goes to a Cloudflare Worker. The key stays in the URL fragment (#k=…) — browsers never send fragments to servers.
03 · burn
TTL or read-count
Configurable expiry (up to 7 days) and download cap (1, 3, 5, or 10). When either fires, R2 is purged and KV forgets. Manual burn anytime.
trust postureverifiable
what we can see
- Opaque ciphertext bytes
- Total ciphertext size
- Aggregate daily counters
- Cloudflare-side IP logs (see Trust Center)
what we never see
- Plaintext bytes — encrypted before upload
- Encryption keys — in the URL fragment
- Sender or recipient identity — no accounts
- Filenames or content metadata in the clear
stackread the source
AES-256-GCM · WebCrypto
Argon2id · m=64MiB · t=3
Cloudflare Workers + R2 + KV
React 18 · SRI-pinned
MIT · github
current public limitsno accounts
File size · 50 MB design ceiling · 64 MiB hard cap
Expiry · 1 hour to 7 days
Downloads · 1 / 3 / 5 / 10
Audit · public source, no third-party audit
Regulated data · not supported
disclaimerread before relying on it
OBSCURA has not been independently security-audited, has no SLA or key-recovery, and is not appropriate for regulated data (HIPAA / PCI / CJIS / classified). Read the DISCLAIMER and Trust Center before using it for anything that matters.