![Cover image for ShadowCrypt [Web] E2E Encrypted Messaging platform for the Privacy-Conscious](https://media2.dev.to/dynamic/image/width=1000,height=420,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fzfj594i6etvfad6389q3.png)
ShadowCrypt [Web] is a more secure successor of one of my previous projects, "ShadowCrypt". Here, every message is encrypted in your browser before it ever touches the internet. It uses modern cryptography (ECDH, AES-256-GCM, Argon2id) and zero-knowledge architecture to ensure that no one cannot read your messages except you and the receiver.
How It Works (The Technical Stack)
π End-to-End Encryption (E2EE)
Every message is encrypted using ECDH P-256 + AES-256-GCM with per-message keys. When you start a conversation, ShadowCrypt performs a Diffie-Hellman key exchange directly between your browser and your contact's browser. The resulting shared secret is never transmitted to our servers.
π Zero-Knowledge Identity
Your identity key pair (the cryptographic keys that prove you are you) is generated inside your browser using the Web Crypto API. The private key never leaves your device in unencrypted form. It is wrapped with an AES-256 key that is derived from your password using Argon2id β a modern, memory-hard key-derivation function designed to resist GPU and ASIC brute-force attacks.
π§ Vault Salt & Encrypted Key Backup
To protect against the real-world scenario of a user clearing their browser data, ShadowCrypt offers an optional encrypted cloud backup of your vault salt and encrypted private key. This backup is AES-256-GCM encrypted with your password-derived key before it ever leaves your device. Without your password, the backup is mathematically indecipherable β even to us.
π£οΈ BIP-39 Recovery Phrase
Forgot your password? ShadowCrypt generates a 12-word BIP-39 mnemonic recovery phrase during registration and migration. This is the only way to recover your account. It only stores a SHA-256 hash of the phrase for verification. The phrase itself is encrypted in your local vault. If you lose your recovery phrase and forget your password, no one can restore your account. Not us. Not anyone.
π΅οΈ Anonymous by Design
No phone numbers. No email verification to external parties. Your account is tied to a username you choose. Your email is a synthetic "{username}@shadowcrypt.com" address used only for Supabase auth. Your identity is yours alone.
ποΈ Self-Destructing Messages
All messages are automatically deleted from the server after 30 days. Old conversations are purged from local storage on every app launch. ShadowCrypt leaves no archaeological layer of your digital life.
Who is this for?
Journalists and activists who need confidential communication without metadata leakage.
Developers and security professionals who understand that "encrypted" on the server is not encrypted at all.
Privacy-conscious individuals who are tired of giving their phone number to every messaging app.
Teams handling sensitive IP who need a web-first, zero-install communication channel.
Why Web-Based?
We chose the browser deliberately. It means:
No app store gatekeepers. No approval process. No risk of takedown.
Cross-platform instantly. Windows, macOS, Linux, Android, iOS β one URL.
No telemetry SDKs. No hidden analytics libraries buried in a binary.
Verifiable. Open the DevTools. Inspect the network tab. You will see only ciphertext.
π New features to be added:
- Group chats
- File sharing
- Voice messages
Try ShadowCrypt: https://shadowcrypt.up.railway.app/
Top comments (0)