x4 Encryption Suite
Try now
x4 · client-side text encryption

Encrypt and decrypt text without leaving your browser tab.

x4 uses the browser’s WebCrypto API (AES-GCM-256 + PBKDF2) to process text locally. The tool’s code does not include logic to send your plaintext or passwords to a remote server.

Try x4 now Opens the workspace at insiders/translator.html
  • Four AES-GCM layers with separate salts and IVs
  • PBKDF2 with configurable, high iteration counts
  • Web Worker isolation for heavy cryptography
  • Designed to run under a strict Content Security Policy

How x4 protects your text

x4 focuses on transparent client-side protection. It does not promise perfect security; instead it clearly explains which mechanisms it uses and what they are intended to do.

WebCrypto primitives

Uses crypto.subtle for AES-GCM-256 and PBKDF2. Crypto operations are performed by the browser’s implementation, not by custom math code.

Configurable PBKDF2

Derives keys from user passwords with PBKDF2 using relatively high iteration counts (within practical limits) and either SHA-256 or SHA-512, plus a calibration helper.

Four independent layers

Applies four AES-GCM layers built from two passwords. Each layer has its own salt and IV, and the header is bound as additional authenticated data (AAD).

Worker isolation

Expensive key derivation and encryption work run in a Web Worker so the UI stays responsive and less crypto logic lives on the main page.

Strict tool CSP

The translator page is designed to be used with a Content Security Policy that limits scripts to your own files and blocks network connections from its JavaScript.

Defensive UX details

Includes password field clearing, conservative error messages and warnings when copying decrypted text to the clipboard, followed by a best-effort clipboard clear.

Security model & scope

What x4 is designed to provide

  • Encrypt and decrypt text locally using AES-GCM-256 with keys derived from user-supplied passwords.
  • A workspace whose JavaScript does not include logic to send plaintext or passwords to a remote service.
  • Stronger password handling through PBKDF2 with high iteration counts and a calibration helper to adjust to the device.
  • Warnings around copying decrypted text and a best-effort attempt to clear the clipboard after a short delay.

What x4 does not claim

  • It does not claim to protect against device-level compromise, malicious extensions or insecure hosting environments.
  • It does not replace a full security review of how and where the files are hosted or how HTTPS is configured.
  • It does not guarantee safety for weak, reused or guessable passwords.

Design comparison: x4 vs typical online tools

Many web tools send your input to a server for processing. x4 is written to operate on text directly in the browser tab. The charts below are qualitative and describe design choices, not measured performance.

Qualitative security features

Taller bars indicate a stronger focus on that design aspect.

x4 (designed for client-side use)
Typical online tool (server-side)

Conceptual exposure to remote services (lower is better)

Illustrates how designs differ in dependence on remote services. This is not a measured metric; it reflects intended behavior.

“Exposure” refers to how much the design relies on sending text to a server. x4’s translator is written to work on text directly in your browser.

Try x4 with your own sample text

Open the translator, encrypt a message and decrypt it again using the same passwords. For sensitive data, always use strong, unique passwords and a trusted device.

Open translator