Free Image Encryption — AES-256-GCM in Your Browser

Some images need to stay private — medical records, legal evidence, private photos you're emailing across borders. PikDraw's Image Encryption tool wraps any file in browser-native AES-256-GCM with PBKDF2 key derivation. Lock with a password, send the .pkenc file anywhere, unlock at the other end. The cryptography runs entirely in the Web Crypto API — no upload, no library to trust, no server to break.

What is the Image Encryption — AES-256 Password Protect Files?

Image Encryption is a Web Crypto-based AES-256-GCM file locker that produces a .pkenc container readable only with the original password. The format embeds the original filename, salt and IV for self-contained recovery.

Key features

  • AES-256-GCM authenticated encryption
  • PBKDF2-SHA256 key derivation (250k iterations)
  • Per-file random salt + IV
  • Embedded original filename in the container
  • Built-in integrity check (rejects tampered files)
  • 100% client-side via Web Crypto API
  • Works on any file, not just images

How it works

On encrypt: a random 16-byte salt and 12-byte IV are generated. PBKDF2-SHA256 derives a 256-bit AES key from your password and the salt over 250k iterations. AES-GCM encrypts the file bytes. The output is salt || IV || ciphertext (with metadata header) packaged as a .pkenc file. Decrypt reverses each step — wrong passwords or tampered files fail the GCM auth tag check.

Why use this tool

OpenSSL is powerful but command-line. Online encryption tools usually upload your file. PikDraw runs in the browser, uses native Web Crypto (no dodgy custom JS crypto), and produces a documented container format so you're not locked into a single tool.

Common use cases

  • Sending sensitive photos via email or chat
  • Archiving private medical/legal images
  • Pre-encrypting before uploading to cloud storage
  • Stashing diary or journal photos on a shared computer
  • Protecting personal photos on a lost or stolen device
  • Adding a privacy layer on top of file-sharing services

How to use this tool

  1. Choose Encrypt or Decrypt — Switch tabs based on whether you're locking a new file or unlocking an existing .pkenc file.
  2. Select your file — For Encrypt: any image. For Decrypt: a .pkenc file produced by this tool.
  3. Enter a strong password — Minimum 8 characters. The password derives a 256-bit AES key via PBKDF2 with 250,000 iterations.
  4. Encrypt / Decrypt — AES-256-GCM in the Web Crypto API encrypts/decrypts entirely in your browser. The output downloads automatically.

Who should use this

Journalists, lawyers, healthcare workers, privacy-conscious individuals, anyone sharing sensitive imagery, or anyone who wants password-protected local backups.

How to get started

Pick a file, enter a strong password, click Encrypt. Send the .pkenc. Decrypt the same way on the other side.

Best practices

  • Use a long, unique password (12+ chars)
  • Store passwords in a manager — there is no recovery
  • Verify decryption immediately after encrypting
  • Pair with end-to-end file transfer (Signal, Wormhole)
  • Don't reuse passwords across files

Pro tips

  • Use a unique password per file — and store it in a password manager.
  • There is no recovery if you lose the password. None. Anywhere.
  • The .pkenc format embeds the original filename, so restored files arrive with their original name.
  • Pair with a private file-transfer service (e.g. Wormhole, OnionShare) for end-to-end privacy.

Expert insights

💡 Strong Password Wins

PBKDF2 protects weak passwords but can't save terrible ones. Use 12+ chars from a password manager.

💡 Verify Decryption

Always decrypt the file once before deleting the original — confirms your password is correct.

💡 Native Crypto

We use the browser's Web Crypto API — the same primitives banks rely on. No hand-rolled JS crypto.

Limitations to be aware of

  • Browser memory limits very large files (~500 MB+)
  • No password recovery — lost password = lost file
  • Custom .pkenc format requires this tool (or any AES-GCM decoder following the spec)
  • Password strength is your responsibility

Frequently asked questions

What encryption is used?
AES-256-GCM with PBKDF2-SHA256 key derivation (250,000 iterations, random 16-byte salt, random 12-byte IV). GCM provides built-in integrity — tampering or wrong passwords are detected and refused. All primitives come from the browser's Web Crypto API.
Can the file be recovered without the password?
No. AES-256-GCM is computationally infeasible to brute-force, and PBKDF2's iteration count makes password guessing painful even with weak passwords. Lose the password = lose the file. Permanently.
Is the file uploaded?
No. Encryption and decryption happen entirely in your browser. We never see your file or password.
What's the .pkenc format?
A simple binary container: 6-byte magic ('PIKDR1'), 1-byte filename length, original filename, 16-byte salt, 12-byte IV, then the AES-GCM ciphertext. Documented so a future you can recover files even without this tool.
Why password instead of a key file?
Passwords are portable in your head; key files require management. For images, password protection is usually the right convenience/security balance. For sensitive workflows, use OpenSSL or GPG with a key file.
Can I encrypt videos or other files?
The tool accepts any file via the file input, not just images. For huge files (>500 MB) browser memory may struggle — use a desktop tool instead.

Browse all PikDraw image tools →