I built Stego.Image — a free, open-source
tool that hides any file inside a PNG image using AES-256 encryption and
LSB steganography. No servers, no uploads, everything runs in your browser.
What it does
Upload a PNG and a secret file. Enter a password. Download an image that
looks completely normal but secretly contains your file inside it.
To extract: upload the stego image, enter the password, get your file back.
How it works in 3 steps
1. Compress — the file is GZIP compressed using pako to reduce size.
2. Encrypt — compressed data is encrypted with AES-256 via crypto-js.
Key derivation uses PBKDF2-SHA256 at 100,000 iterations with a random
salt — making brute-force attacks computationally expensive.
3. Embed — encrypted bits are hidden in the least significant bit of
each RGB pixel channel. A ±1 change per channel is invisible to the
human eye. A 1920×1080 image can carry ~777 KB of hidden data.
Why fully client-side?
The moment a file touches a server you have a privacy problem. Stego.Image
runs entirely in the browser — no files transmitted, no passwords sent,
no tracking. Cloudflare Pages serves a static build. That's it.
Interesting problem I hit
The initial version used crypto-js's default EvpKDF — weak, MD5-based.
I replaced it with PBKDF2-SHA256 at 100k iterations. Old encoded files
intentionally can't be decoded with the new version. Security over
backward compatibility.
Stack
React 19 + Vite, crypto-js, pako, Bootstrap 5, Cloudflare Pages.
Live: https://stegoimage.pages.dev
GitHub: https://github.com/50RISHU/Stego.Image
MIT licensed. Contributions welcome.
Top comments (0)