End-to-end encrypted · zero-knowledge

Send anything.
Trust no one.

Encrypted clipboard, file transfer, and pastebin in one app. Encryption happens in your browser before anything leaves your device — the server stores only cipher-text it can never read.

Open web app Get on Google Play
AES-GCM 256 PBKDF2 600 000 iter No telemetry No account needed
box.sortia.de E2E
PDF
contract-2026.pdf
428 KB · encrypted on device
PNG
screenshot-mac.png
2.1 MB · encrypted on device
MD
recovery-codes.md
3 KB · encrypted on device
TXT
env-staging.txt
812 B · encrypted on device
Share link · view-once · expires 24h
box.sortia.de/s/H7nQ-9zKx#k3y…
CipherAES-GCM 256
KDFPBKDF2 SHA-256
Iters600 000
Server seesCipher-text + IV
Server readsNever
256bit
AES key size
0B
Plaintext on server
600k
PBKDF2 iterations
2
Platforms · web + android
01 — Features

Built on one rule: we shouldn't be able to read your data.

Every file, every clipboard snippet, every share link — encrypted in your browser before upload, decrypted only in someone else's browser when they open the link.

001
Encryption
Web Crypto API runs AES-GCM 256 in your browser. Keys derive from your share password via PBKDF2(SHA-256) with 600 000 iterations. No plaintext crosses the wire.
002
Zero-knowledge
The server stores cipher-text, an IV, and metadata it doesn't understand. Even with full database access, no one — not us, not an attacker — can read your content.
003
Files, text, code
Drop any file, paste any text, push code with syntax highlighting. Big uploads stream through encryption with a live progress bar — no buffer-it-all-in-memory pitfalls.
004
Clipboard sync
Paste on phone, copy on PC. Paste on PC, open on phone. No accounts on either side — only the link and the password know which clipboard is yours.
005
Brute-force shield
Server-side rate limiting on every share. Five wrong passwords trigger exponential backoff. Sustained guessing locks the share down — no need for 32-character passwords.
006
Screenshot watch
On Android, Box notices when a sensitive share is captured to your gallery and warns you within seconds. Useful for one-time passwords and recovery codes.
007
No recipient account
Send a link, share the password. The other side opens the URL in any browser — no signup wall, no app install, no email verification gate.
008
Self-destruct
Pick a TTL — minutes, hours, days, or view-once. When the timer runs out, or someone opens it once, cipher-text is wiped server-side.
02 — How it works

No proprietary protocol — just the Web Crypto API.

Three steps. Anyone with the link and the password decrypts; everyone else, including us, sees noise.

STEP 01

You drop a file

Your browser reads the file, derives a key from your password via PBKDF2(SHA-256, 600 000), and encrypts the bytes with AES-GCM 256.

STEP 02

We store cipher-text

Only the encrypted blob and a random IV reach the server. No password, no key. The DB row knows the file's size and TTL — nothing else.

STEP 03

Recipient decrypts

You send the link and password separately. Their browser pulls cipher-text, re-derives the same key, decrypts locally. The server stays blind.

03 — Platforms

Use whichever screen you have open.

The web app needs nothing but a browser. The Android app adds gallery integration, screenshot detection, and native share intents.

Web

Open in any browser

PWA-installable on desktop and mobile. Single-file architecture — open dev tools and read every line of the code that touches your data.

  • BrowsersChrome · Firefox · Safari · Edge
  • InstallPWA on desktop & mobile
  • InputDrag-drop · paste · file picker
  • ExportZIP bundle on multi-file
  • CSPLocked: self + jsdelivr only
Open web app
Android

Native & gallery-aware

Live on Google Play. Share intents from any app, gallery clipData fallback, screenshot detection, direct save to Downloads folder.

  • Min APIAndroid 7.0 · API 24
  • Arch64-bit ARM · WebView
  • ShareIntent.SEND from any app
  • WatchScreenshot detection
  • SaveDirect to Downloads
Get on Google Play

Send your first encrypted share now.

No signup. No credit card. No newsletter. Just an encryption flow that runs in your browser and a server holding bytes it can't decode.

Open web app Get Android app