End-to-end encrypted file sharing that even we can't read. Everything is encrypted in your browser before it ever touches the server. Self-hosted. Open source.
NyxVault never sees your files. The entire encryption and decryption happens in your browser.
Your file is encrypted in your browser with XSalsa20-Poly1305 and an Argon2id-derived key before it ever leaves your device.
Get a unique link. Set an expiry. Optionally enable burn-after-reading for self-destructing files. Share via QR code.
The recipient decrypts in their browser — with a passkey (Face ID / Touch ID / Windows Hello) or a passphrase. Preview images, video, audio, PDFs, and text — all client-side.
Every feature preserves zero-knowledge. The server is deliberately blind.
Unlock files with Face ID, Touch ID, or Windows Hello — no passphrase to remember or share. Built on WebAuthn PRF envelope encryption: every registered passkey can open every vault file, and the server never sees a single key. Prefer a passphrase? Still there as an explicit option — zero-knowledge either way.
The server stores only ciphertext. No plaintext, no passphrase, no filename, no content type. We couldn't read your files even if we wanted to.
Self-destruct on first successful decryption. Server-side single-use lock on the ciphertext, with secure overwrite before deletion.
Images, videos, audio, PDFs, and text previewed directly after decryption. No downloads to your disk required.
Opt-in hash-based malware check. Only the SHA-256 hash is sent — never the file. Clear privacy warning for sensitive files.
Open any download link on your phone by scanning a QR code. Generated client-side with zero external calls.
MIT licensed. Audit the code yourself. Self-host in minutes. No accounts, no tracking, no analytics.
Every claim is auditable. The code is open, the protocol is documented, the math is standard.
No account needed. No tracking. Just encryption.