Offline encrypted container manager

Your files,
sealed & carried
through hostile waters.

Cryptainer locks your files into portable, password-protected containers on your own device. AES-256-GCM, Argon2id, zero telemetry — the keys surface for seconds and are wiped the instant you lock. Like a whale carrying its cargo through the deep, your data crosses every attack sealed.

Download free View source
  • 100% offline
  • MIT · open source
  • No telemetry
  • 5 platforms
scroll — watch it dive
Watch it work

Type a filename.
See it vanish into ciphertext.

Runs entirely in your browser — a faithful illustration of what Cryptainer does to every file you hand it.

cryptainer · seal aes-256-gcm
ciphertext · argon2id → aes-256-gcm

size nonce auth-tag status SEALED ✓

Cryptainer never stores the key — only this ciphertext, the nonce, and the tag ever touch your disk.

What's inside

Encryption you can actually reason about.

No magic, no marketing crypto. Real, audited primitives wired together with memory safety from the ground up in Rust.

Military-grade encryption

AES-256-GCM authenticated encryption with Argon2id memory-hard key derivation. Choose Fast, Standard, High or Paranoid.

Encrypted containers

Bundle many files into a single sealed container. Names, metadata and structure are encrypted — not just the bytes.

Lazy decryption

Open a container instantly. Each file decrypts on demand the moment you preview it — nothing sits in the clear.

Memory that forgets

Keys are wrapped in Zeroizing<> and wiped the instant a container locks. Decrypted data is zeroized on eviction.

Portable .ctnr format

Export a container to a single .ctnr file. Carry it on a USB stick, import it anywhere. No account, no sync, no server.

100% offline

No cloud. No servers. No telemetry. Zero bytes leave your machine — verify it yourself, the source is open.

Safe passage

Built to be hard. Honest about its limits.

Cryptainer protects your data at rest with a transparent, memory-safe stack — and tells you plainly what it does and doesn't defend against.

AES-256-GCMAuthenticated encryption — every file, every nonce fresh
cipher
Argon2idMemory-hard KDF — Fast → Paranoid security levels
kdf
ZeroizeKeys & plaintext wiped from RAM on lock / eviction
memory
SHA-256 + GCM tagTamper & corruption detection on every blob
integrity
Rust + TauriNo buffer overflows, no GC pauses, tiny attack surface
core
threat model/ verified
  • Protected: file contents, names & metadata
  • Protected: offline & brute-force attacks on stolen blobs
  • Protected: database theft & blob tampering
  • Protected: container structure & organisation
  • Not protected: a keylogger or malware on your host
  • Not protected: memory of an already-unlocked container
  • Not protected: compelled disclosure of your password
Get Cryptainer

One Rust core. Every device.

A .ctnr sealed on Linux opens, byte-for-byte, on your phone. Builds land here as each platform ships — grab the source any time.

Windows.msi installer · x64 / arm64 Soon macOS.dmg · Intel + Apple Silicon Soon Linux.AppImage · runs on any distro Android.apk · universal · v0.1.0 iOS.ipa · sideload / TestFlight Soon

Need the .deb or other builds, or want to compile from source?

How it works

From file to sealed vault in four moves.

  1. 01

    Create

    Drop in your files and pick a security level. Standard is plenty; Paranoid maxes out Argon2id.

  2. 02

    Encrypt

    Set a password. Each file is sealed individually with a fresh nonce. No key ever touches the disk.

  3. 03

    Lock

    Close the container — keys vanish from memory. Auto-lock clears it after inactivity, too.

  4. 04

    Carry

    Export to .ctnr and take your vault anywhere. Unlock it on any platform with your password.

Free & open source

No trust required. Read every line.

Security software you can't inspect is just a promise. Cryptainer is MIT-licensed and fully open — clone it, audit the crypto, build it yourself. Forever free.

Star on GitHub Build from source

Designed & built by forked.online — shipped on platform.forked.online.

Questions

Everything you'd ask before trusting it.

Is Cryptainer really fully offline?

Yes. There is no cloud, no account, and no network code in the data path. Containers, keys, and metadata never leave your device. Because it is open source, you can audit this for yourself.

What encryption does it use?

AES-256-GCM authenticated encryption for file contents and metadata, with Argon2id memory-hard key derivation from your password. Integrity is protected by SHA-256 checksums and GCM authentication tags that detect any tampering.

Is it free and open source?

Completely. Cryptainer is FOSS under the MIT license — free to use, inspect, fork and self-build. The full source lives on GitHub.

Which platforms are supported?

Windows, macOS, Linux, Android and iOS. One Rust + Tauri core runs everywhere, so the .ctnr format and behaviour stay identical across devices.

Where are my files stored?

Locally — encrypted blobs on disk plus a small SQLite metadata database. You can export any container to a single portable .ctnr file and move it yourself.

What happens if I forget my password?

Nothing can recover it. No key is stored anywhere, by design — that is the whole point. Keep a backup of important data and use a strong, memorable password or a hint.

Your data. Your device. Your keys.

Seal it. Carry it.
Trust no one else.

Free, open source, and offline by design. Put your files in a vault only you can open.

Get Cryptainer free Read the source