The Process

How Seal Works

Here is exactly what happens to your file from the moment you encrypt it to the moment your recipient opens it.

The Big Picture

Encrypt

You select a file and a recipient. Everything that follows happens locally in your browser.

Send

You send the .seal file however you like — email, message, anything. It is safe in transit regardless of the channel.

Decrypt

Your recipient drops the file into Seal. It is verified, unlocked, and returned to its original form.

What happens when you encrypt?

1. A one-time AES key is generated Your browser generates a fresh AES-256-GCM key and IV for this file and this file only. It exists in memory and nowhere else.

2. Your file is encrypted locally The file is encrypted using that AES key entirely within your browser via the Web Crypto API. The original file never moves.

3. The AES key is wrapped The AES key is encrypted using your recipient's RSA public key, which is fetched from Seal's database. Only your recipient, who holds the matching private key, can unwrap it.

4. The header is assembled and signed A JSON header is built containing the recipient identity, sender identity, wrapped AES key, and IV. The sender then signs this header using their own RSA private key with RSA-PSS/SHA-256. Any future tampering with the header is immediately detectable.

5. The .seal file is packaged The signed header and the encrypted file contents are combined into a single .seal binary and downloaded directly to your machine. Nothing is uploaded.

What happens when you decrypt?

1. The file is dropped into Seal The recipient drags the .seal file into the Seal decrypt panel. The header is parsed and the intended recipient is identified.

2. The signature is verified Seal fetches the sender's public key from the database and verifies the RSA-PSS signature against the header. If a single byte of the header has been altered, verification fails and decryption is rejected immediately with an error.

3. The recipient is validated Seal confirms the logged-in user matches the recipient identity in the header. If it does not match, access is denied.

4. The AES key is unwrapped The recipient's RSA private key — held only in their browser's sessionStorage — unwraps the encrypted AES key. This is the only moment the private key is used.

5. The file is decrypted and delivered The original file is decrypted in the browser and returned for download or preview. The server played no role in any of this.

Where your private key lives and where it doesn't

Generation

On signup your RSA key pair is generated entirely in your browser. The private key is encrypted with your password via PBKDF2 before it ever moves anywhere.

Session

On login your encrypted private key is fetched and decrypted in your browser using your password. It lives in sessionStorage for the session and is wiped the moment your browser closes.

Storage

Only the encrypted private key blob is stored in our database — useless without your password. Your public key is stored in plaintext so senders can encrypt files to you.

Built on open standards. Designed for everyone.

The cryptography in Seal is the same used by governments, security researchers, and the most trusted platforms on the internet. We just made it something anyone can use in thirty seconds.

Seal

A new standard of security, made simple.

@pixljoy

© 2025. All rights reserved.

Seal

A new standard of security, made simple.

@pixljoy

© 2025. All rights reserved.