The only file-sharing tool that's anonymous to everyone โ but leaves a cryptographic trail to the leaker. Here's how it works in 4 steps:
1
Generate your identity โ Creates a 4096-bit RSA keypair in your browser. Your Public Key is your shareable address. Your Private Key stays on your device and decrypts files sent to you.
2
Share your Public Key โ Anyone who wants to send you confidential files needs your Public Key. It's safe to share publicly.
3
Send files anonymously โ Upload a file, add recipients (by their Public Keys), set a secret. Each person gets a uniquely fingerprinted encrypted copy.
4
Trace leaks forensically โ If a copy leaks, upload it to Forensics with your attribution map. The embedded fingerprint reveals exactly who leaked it.
๐
Everything runs entirely in your browser. No data is ever sent to a server. ShadowSign has no backend โ it's pure client-side cryptography.
๐ป
ShadowSign
Anonymous ยท Signed ยท Accountable
No Identity
Share in the shadows. Trace every leak.
ShadowSign lets you anonymously distribute confidential files โ while giving each recipient a cryptographically unique copy. If any copy leaks, you'll know exactly who leaked it.
01 ยท IDENTITY
Your Cryptographic Identity
Generate a 4096-bit RSA keypair. Your Public Key is your shareable address. Your Private Key stays secret and decrypts files sent to you. No account or email needed.
02 ยท ENCRYPT
Per-Recipient Fingerprinting
Each recipient gets a unique AES-256 encrypted copy with an HMAC-SHA256 fingerprint derived from their Public Key. The file contents are identical โ the fingerprints are not.
03 ยท DELIVER
Encrypted JSON Packages
Each package is a self-contained JSON file: encrypted payload + encrypted key + embedded fingerprint. Send it over any channel โ email, Signal, USB, cloud. ShadowSign is transport-agnostic.
04 ยท TRACE
Forensic Leak Attribution
Upload a leaked package + your attribution map + your HMAC secret. ShadowSign recomputes fingerprints for all known recipients and flags the match in seconds.
Cryptographic Primitives
RSA-OAEP 4096
Key generation, public-key encryption of per-file AES keys
AES-GCM 256
Symmetric encryption of the file payload (unique key per recipient)
Native browser implementation โ no libraries, no dependencies, no trust required
โน
ShadowSign has no backend. All keys, encryption, and fingerprinting happen locally in your browser tab. Nothing is transmitted to any server.
Security Properties
โ Sender Anonymity
The platform โ and any observer โ learns nothing about who sent the file. No identity is required to package or distribute.
โ Recipient Accountability
Every copy carries an unforgeable fingerprint unique to the recipient's cryptographic key. Recipients can't forge another's fingerprint.
โ End-to-End Encryption
File contents are encrypted before packaging. Only the intended recipient (with their Private Key) can decrypt and read the file.
โ Zero Trust Required
No server, no account, no trust in any third party. The cryptography is verifiable and runs in your browser using standard Web APIs.
๐ป
Your identity is a cryptographic keypair. Think of it like a PGP key โ your Public Key is your address (share it freely), and your Private Key is your secret (never share it). Anyone can encrypt files to you using your Public Key. Only you can decrypt them with your Private Key.
Generate New Keypair
This creates a fresh 4096-bit RSA-OAEP keypair directly in your browser. Generation takes a few seconds. If you already have an identity, generating a new one will replace it in this session โ always export first if you want to keep it.
โ
Your keys are not stored anywhere by ShadowSign. If you close this tab without exporting, your identity is gone. Use the "Export Identity" button below to save your keypair as a JSON file.
Your Active Identity
Key ID (fingerprint prefix)
โ
Algorithm
โ
Public Key โ share this with anyone who wants to send you files
?
Your Public Key is safe to share. It's used by senders to encrypt files and compute your unique fingerprint. It cannot decrypt anything โ only your Private Key can do that.
โ
Copy and share this entire block (including BEGIN/END lines) with anyone who wants to send you encrypted files via ShadowSign.
Private Key โ never share this
?
Your Private Key is the secret half of your identity. It decrypts files sent to you. Never paste it anywhere except ShadowSign's Receive tab. Anyone with this key can decrypt your files.
โ
๐ Click the field above to reveal. This is blurred by default to prevent shoulder-surfing. Never share this key.
Import Existing Identity
Already have a ShadowSign identity? Paste the JSON you exported previously to restore it in this session.
Identity JSON
How Keypairs Work โ Quick Explainer
๐ก
RSA-OAEP is an asymmetric encryption scheme. Two mathematically linked keys are generated together:
โข Public Key โ Encrypts data. Safe to publish. Used by senders.
โข Private Key โ Decrypts data. Must stay secret. Used by you to open packages.
When a sender creates a package for you, they generate a random AES-256 key, encrypt your file with it, then encrypt that AES key using your Public Key. Only your Private Key can recover the AES key โ and therefore the file.
Encrypt and package a file for one or more recipients.
โ
You don't need a personal identity to send files, but you should have your HMAC signing secret ready. Recipients need their own identity to decrypt packages.
๐ค
Sending creates unique encrypted packages per recipient. Each package has the same encrypted file but a different fingerprint. Only the correct recipient can decrypt their package โ and you can always trace which copy leaked.
Step 1 โ Select File
๐
Drop any file here, or click to browse
PDF, images, documents, archives, binaries โ any file type ยท Max depends on your browser RAM
๐
Your file is never uploaded anywhere. It's read into browser memory, encrypted with AES-256, and packaged locally. The original file is not modified.
Step 2 โ Add Recipients
Each recipient needs to provide you with their ShadowSign Public Key. Paste each key below. Add a label (e.g. their name) to keep track.
โน
Each recipient will receive a different encrypted package. The file contents are the same, but the fingerprint embedded in each package is unique to that person's Public Key. This is how leak attribution works.
Public Key (PEM format)Label / Name
๐ก
To get a recipient's Public Key, ask them to visit ShadowSign, generate their identity, and share their Public Key with you. It starts with -----BEGIN PUBLIC KEY-----
Step 3 โ Signing Secret & Note
HMAC Signing Secret (required)
?
This secret is used to generate the unique fingerprint for each recipient. It's like a private password only you know. You'll need it again during forensic analysis to verify a leaked copy. Never share it.
โ Keep this safe. You'll need it to run forensic analysis if a file leaks. Anyone with this secret and the attribution map can trace leaks. Store it somewhere secure (password manager recommended).
Sender Note (optional, encrypted)
?
This message is encrypted alongside the file and included in every package. Only recipients who decrypt the package can read it. It could be instructions, context, or a verification phrase.
This note is AES-encrypted โ it cannot be read without decrypting the package first. Good for adding context or a warning to recipients.
โ
Packages generated. Send each package to the correct recipient. Do NOT mix up which package goes to whom โ the fingerprint is tied to the recipient's key.
Encrypted Packages โ Send These
Download or copy each package and send it to the corresponding recipient via any channel (email, Signal, USB, shared folder, etc.).
Attribution Map โ Keep This Secret
โ
Export and store this privately. If a file leaks, you'll upload this map to the Forensics tab along with the leaked package and your HMAC secret to identify the leaker. Do not share this with anyone.
Decrypt a package sent to you.
๐ฅ
You received an encrypted ShadowSign package. To decrypt it, you need your Private Key (from your identity). The package was encrypted specifically for your Public Key โ no one else can open it.
Step 1 โ Load Your Private Key
Your Private Key is the one you generated (or imported) in the Identity tab. It starts with -----BEGIN PRIVATE KEY-----
Your Private Key (PEM format)
If you generated an identity earlier in this session, click the button above to auto-fill. Otherwise paste your exported Private Key here.
Step 2 โ Load the Encrypted Package
Drop the .json package file directly, or paste its contents below.
๐ฆ
Drop your .json package here, or click to browse
The shadowsign-RecipientName.json file the sender gave you
or paste JSON manually
Encrypted Package JSON
Package field check:
๐ก
The package contains your encrypted file, an AES key locked to your Public Key, your unique forensic fingerprint, and an optional sender note. None of it is readable without your Private Key.
Decrypted Contents
โ
Package decrypted successfully. Your file is ready to download.
Your Unique Fingerprint (embedded in this copy)
?
This is the HMAC-SHA256 fingerprint embedded in your copy of the file. It was derived from your Public Key + the file hash + the sender's secret. This fingerprint uniquely identifies your copy โ if you leak the package, this fingerprint will trace the leak back to you.
โ This fingerprint uniquely identifies your copy. If this package is ever found publicly, the sender can trace it back to you using the Forensics tool.
Sender Note
โ
File Info
โ
Trace a leak using any evidence you have.
๐
Three ways to trace a leak. Use Mode A if you have your attribution map. Use Mode B if you have the leaked JSON package but lost the map โ every package embeds a hash of the recipient's public key so you can verify any suspect directly. Use Mode C if you only have the raw leaked file (PDF, TXT, etc.) โ forensic metadata is invisibly baked into the decrypted file itself using binary append, zero-width Unicode, and PDF XMP.
Step 1 โ Load the Leaked Package JSON
Drop the shadowsign-*.json package file, or paste its contents. The key fields are plaintext โ no decryption needed.
๐
Drop the leaked .json package here, or click to browse
shadowsign-RecipientName.json
or paste JSON manually
Leaked Package JSON
Package fields extracted โ no decryption needed:
Drop the shadowsign-attribution-map.json file you exported when sending, or paste its contents.
๐๏ธ
Drop the attribution map here, or click to browse
shadowsign-attribution-map.json
or paste JSON manually
Attribution Map JSON
Step 3A โ Enter Signing Secret
HMAC Signing Secret
Used to verify the fingerprint match is genuine and wasn't tampered with.
โน
How Mode B works: Every ShadowSign v1.1+ package embeds recipientKeyHash โ a SHA-256 hash of the recipient's public key. You can verify any suspect by pasting their public key below. If SHA-256(their key) matches the hash in the leaked package, they're the leaker. No attribution map needed.
Step 2B โ Verify a Suspect's Public Key
Paste the public key of anyone you suspect. ShadowSign will hash it and compare it to the recipientKeyHash embedded in the leaked package.
๐ก
Don't have a suspect's key? The recipientKeyPreview in the package shows the first 64 characters of the recipient's key โ enough to visually identify it if you have their full key on file. Check the preview shown in Step 1 above.
๐ต๏ธ
Mode C scans the raw leaked file itself โ not the JSON package. When you decrypt a ShadowSign package and download the file, that file has forensic metadata invisibly baked into it using binary append (all files) and zero-width Unicode (text files). Upload that exact downloaded file here โ the report.pdf, notes.txt etc. โ to extract who it belongs to.
Step 2C โ Upload the Raw Leaked File
Upload the actual file that leaked โ e.g. report.pdf, notes.txt, contract.docx. ShadowSign will scan it for all three embedded forensic methods.
๐
Drop the leaked file here, or click to browse
Any file type โ TXT, PDF, DOCX, PNG, ZIP, binary...
๐ก
Two scanning methods are tried automatically: โ Binary append โ scans end of file for SHDWSGN marker (works on ALL file types including PDF, DOCX, images, ZIP) โก Zero-width Unicode โ scans for invisible characters in text body (TXT, MD, HTML, CSV etc. only)
Three layers of forensic evidence โ stacked for resilience
๐งฑ
Layer 1 โ JSON package fingerprint + recipientKeyHash (Mode A/B) Layer 2 โ Binary append SHDWSGN marker + payload after EOF (ALL files, Mode C) Layer 3 โ Zero-width invisible Unicode in text body (TXT/MD/HTML, Mode C) Layer 4 โ PDF XMP custom metadata block in PDF stream (PDF only, Mode C)
Everything you need to know to send, receive, and forensically analyse ShadowSign packages.
๐ญ
Example Scenario: You're a manager who needs to share a confidential report with 4 people. You want to ensure that if it leaks to the press, you can prove exactly which of those 4 was the source. ShadowSign solves this with cryptographic certainty.
1
Setting Up Your Identity (Do This Once)
โผ
โน
Your identity is a 4096-bit RSA keypair. This is a one-time setup. Once generated, export it and store it safely โ you'll use the same identity for all future ShadowSign activity.
Go to the Identity tab.
Click Generate 4096-bit RSA Keypair. Wait 2โ5 seconds for generation to complete.
Your Public Key and Private Key will appear. The Private Key is blurred โ click it to reveal.
Click Export Identity (JSON) immediately. Save the file in a secure location (encrypted drive, password manager).
Copy your Public Key using the Copy button. Share this key with anyone who may need to send you encrypted files.
โ
Do not close the tab without exporting. ShadowSign does not store your keys. If you close the tab, your keypair is gone forever and you'll lose access to any files encrypted to it.
2
Sending a Confidential File
โผ
โน
Sending creates one unique encrypted package per recipient. Each package contains the same file but has a different fingerprint. You can send files without having your own identity โ only recipients need one.
Go to the Send File tab.
Drop your file into the upload zone (or click to browse). Any file type is supported.
Collect each recipient's Public Key (ask them to generate one at ShadowSign and share it with you). Paste each key into a recipient row and give them a label (e.g. their name).
Enter your HMAC Signing Secret โ this can be any phrase. Write it down or store it in a password manager. You'll need it to run forensics later.
Optionally write a Sender Note โ this is encrypted alongside the file (e.g. "Do not distribute. This copy is traced to you.").
Click Encrypt & Generate Unique Packages. This may take a few seconds per recipient.
Download or copy each package. Send the correct package to each recipient โ do not mix them up. Each package's label matches the recipient.
Export the Attribution Map and store it privately alongside your HMAC secret. This is your forensics kit.
๐ก
You can send the packages via any channel โ email, Signal, Slack, USB drive, shared folder. ShadowSign is transport-agnostic. The package is safe to transit over untrusted networks (it's fully encrypted).
3
Receiving & Decrypting a Package
โผ
โน
You can only decrypt a package that was encrypted to your Public Key. You need your Private Key to do this. Make sure you're using the same identity that the sender addressed the package to.
Go to the Receive & Decrypt tab.
Load your Private Key โ either click Use My Current Session Key (if you generated/imported one earlier) or paste it manually.
Paste the full encrypted package JSON you received. It should start with {"version":
Click Decrypt Package.
If successful, you'll see your unique fingerprint (the one embedded in your copy), any sender note, and file info.
Click Download Decrypted File to save the original file.
โ
The fingerprint shown is embedded in your copy. If you share this package, the sender can trace the leak back to you. Treat the package file as confidential.
4
Running Forensic Analysis on a Leak
โผ
โน
When a package leaks publicly, you can use the Forensics tool to match its embedded fingerprint against your known recipients. You need the leaked package JSON + your attribution map + your HMAC secret.
Go to the Leak Forensics tab.
Paste the full leaked package JSON โ even if you can't decrypt it, the fingerprint field is in plaintext.
Paste your Attribution Map JSON โ this is the file you exported after sending.
Enter your HMAC Signing Secret โ the same one you used when sending.
Click Run Forensic Analysis.
ShadowSign compares the leaked file's fingerprint against every recipient's stored fingerprint in your map. A match reveals the leaker.
๐ก
What if there's no match? This could mean: (a) the leaker was not in your recipient list, (b) you used a different HMAC secret, or (c) the package was modified. You can also manually compare the leaked fingerprint to any recipient's fingerprint using the formula: HMAC-SHA256(secret, pubkey + filehash)
โ
The HMAC fingerprint is cryptographically unforgeable โ a recipient cannot claim their copy was "tampered with" to change the fingerprint, because they don't know your signing secret.
5
Frequently Asked Questions
โผ
Can a recipient prove they didn't leak it?
Not cryptographically, because they have the decrypted file contents. However, they cannot forge another recipient's fingerprint without the HMAC secret. The fingerprint proves which copy was leaked, not who made the final decision to leak it.
What if a recipient re-encrypts and shares the file (not the package)?
If they strip the ShadowSign packaging and share the raw file, the fingerprint is lost. For high-sensitivity documents, consider embedding a visible or invisible watermark in the document itself before sending through ShadowSign.
Is this admissible as legal evidence?
ShadowSign provides cryptographic evidence, not legal proof. The fingerprint demonstrates which copy was distributed to which key, but establishing that a specific person controls that key requires additional verification. Consult a legal professional for evidentiary use.
How large can files be?
ShadowSign runs in browser memory. Practical limits depend on your device's available RAM, but files up to a few hundred MB should work on most systems. Very large files (1GB+) may cause the tab to crash.
Can I use the same identity for multiple sends?
Yes โ your identity (keypair) can be reused across any number of sends and receives. Export it once and import it whenever you need it. Use different HMAC secrets per distribution to keep attribution maps separate.
What if I lose my attribution map?
You'll need to re-create it by re-sending the same file to the same recipients with the same HMAC secret. This regenerates identical fingerprints (since HMAC is deterministic), allowing you to rebuild the map.
// FORENSICS on leaked package
leaked_fp โ leaked_package.fingerprint
for each recipient in attribution_map:
if recipient.fingerprint == leaked_fp โ LEAKER FOUND