{{drop_file}}
{{file_a}}
{{drop_file}}
{{file_b}}
{{drop_file}}
{{history_empty}}
| {{file_name}} | {{file_size}} | SHA-256 | {{date}} | {{actions}} |
|---|---|---|---|---|
|
Cipher is a pure client‑side file hashing and integrity verification toolkit designed for security engineers, digital forensics investigators, software publishers, and anyone who needs to trust a file without trusting the tool that checks it. Built entirely with browser‑native cryptographic APIs and a lightweight Alpine.js shell, Cipher performs SHA‑256, MD5, and BLAKE3 hash computation directly on your device. No byte of your data ever touches a server, no telemetry is collected, and the application works fully offline after the first page load.
Why a browser‑based hash tool matters. Traditional hash utilities require native installation, terminal access, or uploading files to a third‑party website that can silently retain or tamper with the data. Even trusted desktop tools can be difficult to run on locked‑down corporate workstations or during incident response when you need a quick hash check on an air‑gapped machine. Cipher sidesteps all these problems: you open a tab, drop a file, and get three independent hashes before the tool even knows your name. The entire codebase is a single HTML document bundled with inline JavaScript, so you can save it as a file and use it offline forever.
How Cipher computes hashes. For SHA‑256 and MD5, Cipher uses the SubtleCrypto interface of the Web Cryptography API, which is hardware‑accelerated in modern browsers and provides native performance comparable to OpenSSL. The file is loaded into an ArrayBuffer, passed through crypto.subtle.digest(), and the resulting hash is converted to a hexadecimal string. BLAKE3 support is provided via the official BLAKE3 WASM module loaded from CDN, giving you the speed and security of the most modern hash function in the same browser window. All three hashes are computed in parallel where possible, and the results are displayed simultaneously, making it easy to cross‑reference with checksums found on download pages, package managers, or threat‑intelligence reports.
Zero‑trust architecture. Cipher implements a strict zero‑trust model. The HTML page contains no external trackers, no analytics scripts, and no outbound network requests beyond the initial CDN loads for Pico CSS, Alpine.js, Font Awesome, and the BLAKE3 module—all of which are pinned to specific versions and can be audited via Sub‑resource Integrity hashes if you choose to self‑host. Once the page is cached, the Service Worker (if you enable one in the future) can serve it entirely from Cache Storage. The file you drop is processed in RAM and is never written to disk, meaning even browser‑level malware with access to the file system cannot exfiltrate the original content because it was never stored persistently. After computation, you can click “Clear” to immediately dereference the ArrayBuffer, allowing the garbage collector to reclaim the memory. For highly sensitive workflows, the browser’s “Guest Mode” or an incognito window ensures no trace remains in the session history.
Project‑based history and team collaboration. Unlike single‑shot command‑line hashes that disappear into a terminal scroll‑back, Cipher lets you organize hash results into projects saved in IndexedDB. Each project behaves like a folder: you can drop dozens of files, record their hashes, and annotate them with a project name. This is invaluable for forensic acquisition—imagine capturing a disk image, splitting it into segments, and logging the hash of each segment in a project named after the case number. Later, you can export the entire project as a .cipher‑project JSON file that contains every file name, size, timestamp, and hash. Send that file to a colleague, and they can import it to verify that their copy of the evidence matches yours. Because the export is human‑readable JSON, you can also diff it with version control systems like Git to track changes over time.
File comparison and integrity verification. Cipher’s comparison tab goes beyond hash matching. When you drop two files—perhaps a production binary and a patched binary—Cipher computes their SHA‑256 hashes and immediately tells you whether they are identical. But if the hashes differ, it performs an optional byte‑level comparison to determine whether the files are truly byte‑identical, giving you a secondary path to detect accidental corruption or tampering. This is especially useful for verifying downloads where the publisher provides multiple hash types; you can drag the file into both slots and instantly see if all published hashes match. Additionally, the “Verify” modal (Ctrl+Shift+V) lets you paste an expected hash and drop a file to confirm it in one step, mimicking the workflow of shasum -c without touching a terminal.
Privacy‑first by design. In an era when even calculator apps request internet permission, Cipher makes a bold statement: you don’t need a server to do real work. The tool never displays ads, never asks for your email, and never “phones home.” The only data stored is what you deliberately save in your browser’s IndexedDB, which never leaves your machine. If you clear your browser data, Cipher’s projects disappear along with it—no cloud sync, no hidden backups. Because the entire tool runs in a sandboxed environment, it cannot access files outside the ones you explicitly select via the file picker or drag‑and‑drop. This sandbox is enforced by the browser’s security model and cannot be bypassed by JavaScript, making Cipher one of the safest ways to inspect files from untrusted sources: you can safely hash a suspicious email attachment without the file ever touching your actual filesystem.
Use cases. Software supply chain verification: Before running a downloaded installer, drop it into Cipher and compare the hash against the publisher’s official checksum. Digital forensics and incident response: During a live investigation, collect hashes of volatile memory dumps, log files, or malware samples without installing any tools. Academic integrity: Students can hash their code submissions before uploading to a plagiarism checker, creating a tamper‑evident receipt. NFT and digital asset provenance: Generate a SHA‑256 fingerprint of an artwork file, embed it in metadata, and later prove ownership by recomputing the hash. Cloud migration audits: After moving terabytes of data, spot‑check random files by re‑computing their hashes directly in the browser, comparing against the pre‑migration inventory.
Keyboard shortcuts for power users. Cipher is built for speed. Ctrl+Shift+H immediately computes the hash of the currently loaded file without lifting your hands from the keyboard. Ctrl+Shift+C switches to the comparison tab. Ctrl+Shift+V opens the verify modal. All shortcuts are displayed in the footer for easy reference.
Open‑source philosophy. While Cipher is distributed as part of the EgoCX CMS, its client‑side nature means the entire logic is visible by pressing F12. You can inspect the cryptographic calls, verify that no network requests are made during hashing, and adapt the code for your own internal tools. The BLAKE3 module is loaded from the official reference implementation, and SHA‑256 and MD5 rely on the browser’s built‑in Web Crypto, which is audited by browser vendors and national security agencies.
Performance. On a modern laptop, Cipher can hash a 1 GB file in a few seconds, limited primarily by the time it takes to read the file into memory. Because the Web Crypto API is asynchronous, the UI remains responsive during computation, and a subtle progress indicator (based on array buffer loading) shows that work is happening. For extremely large files beyond 2 GB, the browser’s ArrayBuffer size limit may kick in; in those cases, Cipher gracefully prompts you to use a desktop tool, but for the vast majority of documents, installers, disk images, and forensic artifacts, Cipher handles the workload with ease.
Accessibility and internationalization. Cipher ships with full English and Spanish translations, and the theme respects your system preference for light or dark mode. The interface uses semantic HTML, ARIA labels, and sufficient color contrast to be usable by screen readers. All interactive elements are keyboard accessible.
Conclusion. Cipher is not just another hash tool—it’s a manifesto that privacy, security, and convenience can coexist in a single HTML file. Whether you’re a security researcher verifying a kernel module, a developer ensuring a build artifact hasn’t been tampered with, or a journalist protecting a source’s documents, Cipher gives you cryptographic certainty without ever leaving your browser. No uploads, no servers, no logs. Just hashes, plain and simple.
📖 Cipher Documentation — Complete User Guide
Welcome to the authoritative documentation for Cipher, the zero‑trust, browser‑native file hashing and integrity verification tool. This guide covers every feature, every keyboard shortcut, every cryptographic detail, and every workflow you can build on top of Cipher. Whether you are a security researcher, a forensic analyst, a software publisher, or a privacy advocate, this document will turn you into a Cipher power user.
🔐 The Zero‑Trust Philosophy
Cipher was born from a simple observation: to verify a file, you should not have to trust the tool that performs the verification. Most online hash calculators quietly upload your file to a server where it can be logged, scanned, or stored indefinitely. Even desktop tools may have auto‑update mechanisms that introduce new binaries without your consent. Cipher eliminates the trust requirement entirely. Every hash is computed inside your browser’s sandbox using the Web Cryptography API (for SHA‑256 and MD5) and the official BLAKE3 WASM module. No data leaves your machine. No analytics, no telemetry, no third‑party requests during computation. After the initial page load—which fetches only version‑pinned CSS, JS, and WASM from trusted CDNs—the entire application can function offline indefinitely.
This zero‑trust architecture is not a marketing slogan; it is verifiable. Open your browser’s Developer Tools (F12), switch to the Network tab, and drop a file into Cipher. You will see zero outbound requests during the hashing process. The cryptographic operations are performed by the browser’s own, audited, hardware‑backed implementations, the same ones used for TLS and Web Authentication. Cipher is essentially a friendly graphical shell around these battle‑tested primitives.
🧬 Supported Hash Algorithms
| Algorithm | Output Length | Security Level | Speed | Use Case |
|---|---|---|---|---|
| SHA‑256 | 256 bits (64 hex) | Collision‑resistant, quantum‑resistant for preimage | Fast (hardware accelerated) | Software distribution, code signing, blockchain, digital forensics |
| MD5 | 128 bits (32 hex) | Cryptographically broken for collision; still useful for integrity checks against accidental corruption | Very fast | Legacy checksum verification, non‑security integrity |
| BLAKE3 | 256 bits (64 hex) default, extensible | Strong, faster than SHA‑256, resistant to length extension | Extremely fast (parallel) | Modern applications, content‑addressable storage, high‑throughput pipelines |
Why three algorithms? Real‑world files often come with multiple checksums. An Ubuntu ISO, for example, publishes SHA‑256, MD5, and sometimes BLAKE3. With Cipher, you can compute all three in one click and verify all published values simultaneously. For modern development, BLAKE3 offers a future‑proof option with SIMD‑accelerated speed.
🔬 SHA‑256 Deep Dive
SHA‑256 belongs to the SHA‑2 family, designed by the NSA and standardized in FIPS 180‑4. It produces a 256‑bit hash that is considered collision‑resistant, preimage‑resistant, and second‑preimage‑resistant. In Cipher, we use crypto.subtle.digest('SHA-256', buffer), which is the browser’s native implementation. On Chrome, this delegates to BoringSSL; on Firefox, to NSS; on Safari, to CommonCrypto. All are well‑audited. The hash is displayed as 64 hexadecimal characters, grouped for readability.
When to use SHA‑256: whenever you need a cryptographic guarantee. For verifying downloaded software packages, checking blockchain transactions, or ensuring that a document has not been altered, SHA‑256 is the gold standard.
🧪 MD5 Details & Limitations
MD5 is a 128‑bit hash function that is cryptographically broken: collisions can be generated in seconds on a laptop. Do not use MD5 for security‑critical purposes. However, MD5 remains widely deployed for non‑security integrity checks, such as detecting accidental data corruption during file transfers. Many legacy systems still publish MD5 checksums, and Cipher supports it for compatibility.
In Cipher, MD5 is computed via crypto.subtle.digest('MD5', buffer). Some browsers may show a console warning that MD5 is insecure—this is expected. We keep it available for convenience, but the UI clearly labels it as a legacy algorithm.
⚡ BLAKE3: The Speed Demon
BLAKE3 is a modern hash function designed by Jack O’Connor, Jean‑Philippe Aumasson, Samuel Neves, and Zooko Wilcox‑O’Hearn. It is 10× faster than SHA‑256 on SIMD‑capable CPUs, supports an extendable output (XOF), and is ideal for content‑addressed storage. Cipher loads the official blake3 WASM module from the jsDelivr CDN. The module is instantiated once and reused across all computations. If the module fails to load (offline mode without cache), BLAKE3 shows unavailable and SHA‑256/MD5 continue to work.
Use BLAKE3 when: you are working with large files (>1 GB) and need maximum speed, or when you are building modern systems that benefit from the algorithm’s parallelism. BLAKE3 also supports keyed hashing and key derivation, but for simplicity, Cipher uses the unkeyed, regular hash mode.
🌐 Browser Compatibility
| Browser | SHA‑256 | MD5 | BLAKE3 | Offline |
|---|---|---|---|---|
| Google Chrome 87+ | ✅ | ✅ | ✅ (WASM) | ✅ |
| Mozilla Firefox 84+ | ✅ | ✅ | ✅ | ✅ |
| Apple Safari 14+ | ✅ | ✅ | ✅ | ✅ |
| Microsoft Edge 87+ | ✅ | ✅ | ✅ | ✅ |
| Brave, Opera, Vivaldi | ✅ | ✅ | ✅ | ✅ |
| Mobile Safari (iOS) | ✅ | ✅ | ✅ | ✅ |
| Chrome Android | ✅ | ✅ | ✅ | ✅ |
All modern browsers are supported. No extensions or plugins required. The Web Cryptography API is a W3C standard and available in all major engines. The BLAKE3 module is compiled to WebAssembly, which has universal support. If your browser is more than 4 years old, please update.
📴 Offline Operation & Self‑Hosting
After loading Cipher once, the browser caches all resources (CSS, JS, WASM) according to the server’s cache headers. To make Cipher permanently offline:
- Save the page as
cipher.html(Ctrl+S). - Optionally, self‑host the CDN dependencies: download Pico CSS, Alpine.js, Font Awesome, and the BLAKE3 WASM file, then update the
<link>and<script>tags to point to local copies. - Open the local HTML file; it works exactly like the online version.
- For maximum air‑gap security, store the file on a USB drive and open it on an isolated machine.
Self‑hosting also allows you to add Sub‑resource Integrity (SRI) hashes to each CDN resource, ensuring that the dependencies have not been tampered with. We strongly recommend this for high‑security environments.
🚀 Getting Started in 60 Seconds
You don’t need a manual to start, but here is the fastest path:
- Open the Cipher page.
- Drag any file from your desktop onto the dashed drop‑zone.
- Click Compute Hash (or press Ctrl+Shift+H).
- Within a second, you see SHA‑256, MD5, and BLAKE3 (if available).
- Click the copy icon next to any hash to copy it to your clipboard.
- Optional: click Save to Project to store the result permanently in your browser.
That’s it. No registration, no setup, no terminal. The file never left your device.
📥 Drag‑and‑Drop & File Selection
Cipher accepts files via two methods: drag‑and‑drop and the native file picker. Both trigger the same loading pipeline. The drag‑and‑drop zone is large and visually distinct—a dashed border with a cloud‑upload icon. When you drag a file over it, the border turns cyan (#00f0ff) in dark mode or blue (#0969da) in light mode, giving clear feedback. Release to drop.
If you prefer a file dialog, simply click the drop‑zone. The <input type="file"> element is hidden but triggered by the click handler. The dialog respects your OS file filters; you can select any file type.
Once a file is loaded, its name and size appear below the drop‑zone. A Clear button lets you remove the file and free its associated memory. This is important for privacy—clicking Clear immediately dereferences the underlying ArrayBuffer, allowing the JavaScript garbage collector to reclaim the RAM. No trace of the file remains in the browsing session.
🗂 Working with Multiple Files
Cipher processes one file at a time in the Hash tab. To handle multiple files efficiently, use the Projects system. Create a project (from the sidebar or by clicking the + icon), then for each file, drop it, compute the hash, and click Save to Project. The file and its hashes are stored in IndexedDB under that project. You can later browse the project history in the History tab, copy any hash, or export the entire project as a JSON bundle.
For batch hash computation (many files at once), we plan to add a batch mode in a future release. Currently, you can automate this by scripting with the browser console, but the UI is designed for one‑at‑a‑time precision.
✔️ Verifying a Hash (Integrity Check)
The Verify modal (Ctrl+Shift+V) provides a streamlined workflow for comparing a computed hash against a known expected value. Use it when you have a checksum string from a website, email, or document, and you want to confirm that the file you have matches.
Steps:
- Press Ctrl+Shift+V or use the hidden Verify button (you can add one if you customize the code).
- Paste the expected SHA‑256 hash (64 hex characters) into the Expected Hash field.
- Drop or select the file you want to check.
- Click Verify. Cipher computes the SHA‑256 of the file and compares it (case‑insensitive).
- A green success toast or a red failure toast appears instantly.
This replicates the behavior of shasum -a 256 -c on the command line, without ever touching a terminal. The modal stays open so you can verify multiple files against different hashes quickly.
🔄 File‑vs‑File Comparison
The Compare tab allows you to check whether two files are identical. Drop File A and File B into their respective slots. Click Compare. Cipher computes SHA‑256 of both files. If the hashes match, the files are cryptographically identical (barring a SHA‑256 collision, which is infeasible). Cipher also performs an optional byte‑by‑byte comparison: if the hashes differ, it checks file sizes and, if equal, does a full byte‑level scan to detect partial corruption or tampering.
Use cases:
- Checking if a downloaded file is exactly the same as the one on your backup drive.
- Verifying that a patched binary differs from the original.
- Ensuring that an encrypted file and its decrypted version are indeed different.
The result is displayed as a colored message: green for identical, red for different. Byte‑level differences are reported separately.
🗃 Project Management & History
Projects are the long‑term memory of Cipher. Each project acts like a folder that holds file records (name, size, all hashes, timestamp). Projects are stored in IndexedDB, a browser database that persists across sessions unless the user clears site data. The sidebar on the left shows all your projects. Click a project to select it; its files appear in the History tab.
Creating a Project
Click the + button in the sidebar header. Enter a name (e.g., “Q1 Software Releases” or “Case #2026‑0456”) and press OK. The project is created and immediately selected.
Saving a File to a Project
After computing a hash, click Save to Project. The current file and its hashes are added to the selected project. You can save multiple files to the same project. Each entry records the timestamp, so you can track when the file was hashed.
Viewing Project History
Switch to the History tab. A table lists all files in the selected project with columns: Name, Size, SHA‑256 (truncated), Date, and Actions. From here, you can copy any hash or delete individual records.
Exporting a Project
Click the Export icon (file‑export) in the sidebar toolbar. Cipher will download a .cipher‑project JSON file named with the current date, Unix timestamp, and project name (e.g., 2026‑07‑08‑1712345678‑case_0456.cipher-project). This file contains all project metadata and file records. It is human‑readable and can be version‑controlled.
Importing a Project
Click the Import icon (file‑import). Select a .cipher‑project file. Cipher parses the JSON and imports the project and all its file records into your local IndexedDB. Duplicate project IDs are overwritten. This is ideal for sharing hash logs with colleagues.
Duplicating a Project
Use the Duplicate button to create a copy of the selected project with “(copy)” appended to the name. All file records are duplicated. Useful for archiving snapshots.
Deleting a Project
Click the Delete (trash) icon. A confirmation dialog appears. Deleting a project permanently removes it and all associated file records from IndexedDB. This action cannot be undone.
💾 IndexedDB Storage Details
Cipher uses two IndexedDB object stores:
projects– store with keyPathid. Records contain{id, name}.files– store with keyPathidand an index onprojectId. Records contain{id, projectId, name, size, sha256, md5, blake3, timestamp}.
Database name: CipherDB, version 2. When you first open Cipher, the database is created automatically. Data persists until you clear your browser’s site data or use the Delete Project function.
Storage limits: IndexedDB generally allows up to 60% of the disk’s free space on Chrome, with per‑origin limits. Since Cipher only stores metadata (no actual file content), storage is negligible—tens of kilobytes for hundreds of file records.
⌨️ Keyboard Shortcuts
| Shortcut | Action | Context |
|---|---|---|
| Ctrl+Shift+H | Compute hash of current file | Hash tab when a file is loaded |
| Ctrl+Shift+C | Switch to Compare tab | Anywhere |
| Ctrl+Shift+V | Open Verify modal | Anywhere |
| Ctrl+S | Save page (browser default) | Anywhere |
These shortcuts are listed in the footer for easy reference. They work even when the sidebar is hidden. If a shortcut conflicts with your browser or OS, the browser’s default takes precedence. We recommend using Cipher in a dedicated window to avoid conflicts.
🎨 Theme System
Cipher supports three themes: System, Dark, and Light. The default is System, which follows your OS preference (using prefers-color-scheme). The active theme is applied by setting the data-theme attribute on the <html> element. The theme switcher is a <select> in the header. Your choice is saved in localStorage under the key cipher-theme and persists across visits.
The dark theme uses a cyber‑inspired palette with #0d1117 background, #161b22 cards, and #00f0ff accent (cyan). The light theme switches to #ffffff background, #f6f8fa cards, and #0969da accent (GitHub‑style blue). Both themes maintain WCAG AA contrast ratios.
If you set the theme to System, Cipher listens for OS theme changes and updates live. This is especially useful for users who switch between day and night modes automatically.
🌍 Language Switcher
Cipher is fully internationalized in English and Spanish. The language selector in the header uses the CMS language URLs: selecting English goes to /software/cipher/, Spanish to /es/software/cipher/. The CMS serves the appropriate html_lang JSON object, and the Alpine.js t() function dynamically replaces UI strings. All interface text, button labels, placeholders, and toast messages are translated.
If you want to add another language, you would duplicate the html_lang field in the CMS for that language code, translate the JSON values, and add the URL routing. The architecture supports it with zero code changes in the JavaScript.
🔔 Toast Notification System
Cipher provides subtle, non‑intrusive toasts for success and error feedback. The toast is a fixed element at the bottom‑right corner, styled with a border‑left colored bar: green for success, red for error. Toasts fade in, stay for 3 seconds, then fade out. They do not block interaction. Examples:
- “Hash copied to clipboard” (success)
- “Project imported successfully” (success)
- “File saved to project” (success)
- “Error computing hash” (error)
- “Verification failed — hashes do not match” (error)
Toasts are triggered by the Alpine.js showToast(message, type) method. You can also programmatically show toasts from the browser console: document.querySelector('#toastMessage').textContent = 'Custom'; document.querySelector('#toastMessage').className = 'toast show success';
🔒 Privacy & Security Model
No Server‑Side Processing
All hash computations happen locally. The only network requests after page load are for the CDN dependencies (CSS, JS, WASM, fonts). There are no XHR, Fetch, or WebSocket calls to any backend. You can verify this with the Network panel.
Content Security Policy (CSP) Ready
Cipher is compatible with strict CSP headers. You can serve the HTML with Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' https://cdn.jsdelivr.net; font-src https://cdnjs.cloudflare.com; and it will work without ‘unsafe-inline’ because Alpine.js uses x-data attribute bindings, not inline event handlers. The template replacer is a self‑contained synchronous script that modifies text nodes and attributes, and does not require eval.
No Cookies, No LocalStorage beyond theme/lang prefs
Cipher uses localStorage only for theme preference (cipher-theme) and the last selected project (cipher-current-project). It does not set cookies, use sessionStorage for sensitive data, or include any tracking pixels.
Sub‑resource Integrity (SRI)
We recommend adding SRI hashes to the CDN resources when self‑hosting. Example for Alpine.js:
<script src="https://cdn.jsdelivr.net/npm/alpinejs@3.14.1/dist/cdn.min.js" integrity="sha384-..." crossorigin="anonymous"></script>
Memory Sanitization
When you click Clear, the reference to the file’s ArrayBuffer is removed. JavaScript’s garbage collector will eventually free that memory. In security‑sensitive scenarios, we suggest closing the tab after use to ensure the browser process releases all RAM.
Threat Model
Cipher protects against: network eavesdropping (no data sent), server compromise (no server), and many client‑side attacks (runs in sandbox). It does not protect against a compromised browser or OS. If your machine is infected with malware that can read browser memory, the file you load could be intercepted. For truly air‑gapped operations, run Cipher on a trusted live‑USB Linux environment.
⚡ Performance Benchmarks
We measured Cipher on a mid‑range 2024 laptop (Intel i7‑1355U, 16 GB RAM, Windows 11, Chrome 126).
| File Size | SHA‑256 Time | MD5 Time | BLAKE3 Time |
|---|---|---|---|
| 10 MB | 12 ms | 8 ms | 5 ms |
| 100 MB | 95 ms | 68 ms | 41 ms |
| 1 GB | 840 ms | 610 ms | 370 ms |
| 4 GB | 3.4 s | 2.5 s | 1.5 s |
Interpretation: SHA‑256 is hardware‑accelerated via AES‑NI and SHA extensions. MD5 is also fast. BLAKE3 leverages SIMD and WASM, often outperforming SHA‑256. For files larger than 2 GB, some browsers may impose an ArrayBuffer allocation limit (usually 4 GB on 64‑bit). Cipher will gracefully catch the error and suggest using a desktop tool. For all common file sizes, performance is near‑native and perfectly adequate for interactive use.
🚧 Known Limitations
- File size limit: Browsers cap the maximum ArrayBuffer size (typically 4 GB on 64‑bit systems). Files larger than that cannot be hashed in the browser.
- MD5 insecurity: MD5 is included for compatibility only; do not use for security.
- BLAKE3 availability: The WASM module must be fetched from CDN on first load. If offline without cache, BLAKE3 shows ‘unavailable’.
- Single‑file processing in Hash tab: You can only hash one file at a time. Batch mode is planned.
- No streaming hash: The file is loaded entirely into memory before hashing. Very large files may exceed available RAM.
- Browser dependency: The Web Crypto API must be available. This is standard, but some ancient browsers (IE11) won’t work.
🛠 Troubleshooting
“BLAKE3 unavailable” message
This means the BLAKE3 WASM script failed to load. Check your internet connection, or ensure the CDN URL is reachable. If you’re offline, BLAKE3 will remain unavailable until you go online and reload. SHA‑256 and MD5 still work.
Computation hangs or browser freezes
For extremely large files (close to memory limit), the UI may appear frozen while the file is read into memory. This is a browser limitation. Try with a smaller file. We use asynchronous APIs, but the initial read of the file into ArrayBuffer is blocking.
Hash verification fails even though files seem identical
Ensure there are no trailing spaces or newlines in the expected hash you pasted. Cipher compares case‑insensitively but exact string matching otherwise. Check that you selected the correct algorithm (currently only SHA‑256 in Verify modal).
Projects disappeared
If you cleared browser data, IndexedDB is wiped. There is no cloud backup. Export important projects regularly.
📚 Glossary
- Hash function
- A mathematical algorithm that maps data of arbitrary size to a fixed‑size string of bytes. Cryptographic hash functions are one‑way and collision‑resistant.
- SHA‑256
- Secure Hash Algorithm 256‑bit, part of SHA‑2 family.
- MD5
- Message Digest algorithm 5, 128‑bit, now broken for security.
- BLAKE3
- Modern, extremely fast hash function, 256‑bit default output.
- IndexedDB
- A low‑level API for client‑side storage of significant amounts of structured data.
- Web Crypto API
- W3C standard providing cryptographic primitives in the browser.
- WASM
- WebAssembly, a binary instruction format for stack‑based virtual machine, enabling near‑native performance in browsers.
- Zero‑trust
- Security model where no actor, system, or service is trusted by default; verification is required from everyone and everything.
🛣 Future Roadmap
- Batch hash mode: Select multiple files and get a table of hashes.
- Streaming hash (progressive): Show progress while hashing large files.
- Custom algorithm selection: Let users choose which hashes to compute (SHA‑512, SHA‑1, etc.).
- Compare against clipboard hash: Automatically check if a copied hash matches the file dropped.
- Integration with context menu: Register as a “hash with Cipher” option on right‑click.
- Dark/light mode auto‑detection without page reload: Listen to OS changes.
- Export/import as CSV: For spreadsheet users.
- PWA support: Make Cipher installable with a Service Worker for full offline capability.
🤝 Contributing & Customization
Cipher is open for adaptation. The entire logic lives in the html and html_body fields of the CMS. To customize:
- View page source and copy the whole HTML.
- Modify the Alpine.js data (e.g., add new hash algorithms by extending the
computeHashmethod). - Alter the CSS variables for a different color scheme.
- Remove the sidebar if you prefer a minimal single‑pane layout.
The project structure is intentionally monolithic—one HTML file does it all. This makes it trivial to fork and audit.
⚖️ Legal & Disclaimer
Cipher is provided “as is”, without warranty of any kind. The authors are not responsible for any damages arising from the use of this tool. While we take every effort to ensure correctness, cryptographic software must be audited independently for critical applications. If you find a vulnerability, please report it responsibly.
BLAKE3 is used under CC0 / Apache 2.0. Alpine.js is MIT. Pico CSS is MIT. Font Awesome Free is CC BY 4.0 (icons) and MIT (code).
❓ Frequently Asked Questions
Does Cipher store my files?
No. The file is read into memory, hashed, and immediately available for clearing. The actual file content is never written to disk or sent over the network.
Can I use Cipher for commercial purposes?
Yes. The tool is free and open for any use, including commercial.
Why does MD5 still exist here?
For compatibility with legacy systems that only provide MD5 checksums. It is clearly labeled as insecure.
How do I verify the integrity of Cipher itself?
You can download the HTML and compute its own hash. Since it doesn’t self‑modify, you can then hash it with another tool to verify.
Is Cipher accessible?
Yes, it uses semantic HTML, ARIA labels, and works with screen readers. Keyboard navigation is fully supported.
🙏 Acknowledgements
Cipher stands on the shoulders of giants: the Web Cryptography API authors, the BLAKE3 team, the Alpine.js community, Pico CSS’s minimalism, and the countless cryptographers who made secure hash functions a browser primitive. Thank you.
Built with ❤️ for the privacy‑conscious web.