Turn a Folder into an Encrypted Vault
Encrypting files one by one gets old fast, and filenames alone can reveal plenty. This tool packs entire folders — structure, subfolders, and all — into a single encrypted .svault file, with every filename encrypted along with the contents. It runs completely in your browser, so the folder never leaves your machine.
The actual tool runs in our ad-free secure workspace — nothing on this page processes your file.
Open Create an Encrypted Vault →What this tool does
- Packs folders and files into one encrypted vault, preserving the full directory structure for later extraction.
- Encrypts filenames and folder names, not just contents — an observer sees one opaque vault file and nothing else.
- Uses AES-256-GCM with a PBKDF2-HMAC-SHA-256 derived key (600,000 iterations) and a unique random salt.
- Processes large inputs in chunks with authenticated encryption, so a damaged vault is detected rather than silently mis-extracted.
- Offers optional compression and an optional public label so future-you knows which vault is which without unlocking it.
- Supports an optional one-time 160-bit recovery key as a fallback if the password is ever forgotten.
Your privacy on this tool
Stays on your device
- Folder contents, names, and structure are read and encrypted entirely on your device.
- The password and optional recovery key exist only in your browser session.
- The finished vault file is written directly to your disk; no part of it is uploaded.
Reaches our server: nothing
This tool makes no upload. Your content is processed entirely in your browser.
How to use it
- Open the vault builder at /app/create-encrypted-vault.
- Drag in a folder (or a mix of folders and files) — the structure you see is the structure that gets preserved.
- Set a strong password, and optionally add a public label like 'Family archive 2026'.
- Decide whether to generate a one-time recovery key; if you do, store it away from the password.
- Optionally enable compression for text-heavy content, then build the vault.
- Save the .svault file, then test-open it once before deleting any originals.
Common uses
- Archiving a completed client project — contracts, assets, and correspondence — into one locked file.
- Encrypting a family-documents folder (wills, deeds, insurance) before copying it to a shared external drive.
- Preparing an encrypted bundle of research data to hand off on a USB stick.
- Locking a folder of old journals or personal writing before storing it in a cloud sync folder.
- Making a periodic encrypted snapshot of your password-manager exports and 2FA recovery sheets.
Supported formats
- Any files and folders as input
- Output: SecretPNG vault (.svault)
Works in all modern browsers with the Web Crypto API; Chrome and Edge additionally support the File System Access API for smoother handling of very large vaults.
Limitations & security notes
Limitations
- Losing both the password and the recovery key makes the entire vault permanently unrecoverable — every file inside it.
- The vault is a snapshot, not a live encrypted drive; to change contents you extract, edit, and rebuild.
- Browser memory and disk limits apply — the tool chunks its work, and the File System Access API helps with very large outputs, but a browser is not the ideal venue for terabyte-scale archives.
- The optional public label is deliberately unencrypted — do not put anything sensitive in it.
- SecretPNG is in beta and has not been independently audited.
Security notes
- Encrypted filenames matter more than people expect: 'divorce_settlement_draft3.docx' leaks information even when its contents are protected.
- One vault, one password: everything inside is protected by the same secret, so choose a passphrase you would trust for the most sensitive file in the folder.
- Chunked authenticated encryption means a bit-rotted or tampered vault fails verification at open time instead of quietly extracting garbage.
- Store the recovery key physically separate from the password — a safe, a bank deposit box, or a sealed envelope with a trusted person.
- Verify the vault opens before deleting originals; verification takes a minute, data loss is forever.
Frequently asked questions
- Is this like an encrypted ZIP folder?
- Similar idea, stronger guarantees. Like a ZIP, it bundles many files into one. Unlike standard ZIP encryption, it encrypts filenames and folder structure, uses AES-256-GCM with authenticated chunks, and derives keys with 600,000 PBKDF2 iterations. If you specifically need a ZIP other software can open, use our password-protected ZIP tool instead.
- Can I add files to a vault later?
- Not in place. A vault is a sealed snapshot — you open it, extract what you need, and build a new vault to include new files. That constraint is what lets the format stay simple, portable, and verifiable end to end.
- How big can a vault be?
- There is no hard-coded cap; inputs are processed in chunks so memory stays manageable. Practically, tens of gigabytes work on a desktop with the File System Access API available (Chrome or Edge), while browsers without it may hit limits sooner. For truly enormous archives a desktop tool remains the better fit.
- What does the 'public label' reveal?
- Only the text you type into it. It exists so you can tell vaults apart without unlocking them — 'Photos 2024' or 'Tax archive'. It is stored unencrypted by design, so treat it like text written on the outside of a locked box.
- What happens if the vault file gets corrupted?
- Each chunk is authenticated, so corruption is detected the moment you try to open or extract. Files in undamaged chunks may still extract cleanly, but anything touched by the damage fails verification rather than extracting silently wrong data. Keep a second copy of important vaults on separate storage.
Related tools
Last reviewed: 2026-07-14Open Create an Encrypted Vault
SecretPNG is in beta and has not been independently audited. Security status.