Encryption at Imageserver.pw
Learn how your files are protected — explained simply and technically.
TL;DR
Automatic Encryption
Every file is encrypted immediately upon upload — you don't have to do anything.
The Key is in the Link
Your link contains ?key=... — only with this can the file be opened.
We Don't Store the Key
Without your link, we (and no one else) can decrypt the file.
How Encryption Works
↑ During Upload
- A random password (64 characters) is generated
- A random salt (16 bytes) is created
- A key is derived from password + salt (scrypt)
- Your file is encrypted with AES-256-CBC
- Only the encrypted file is stored
↓ During Retrieval
- You open the link with
?key=... - The server reads the salt from the encrypted file
- The key is reconstructed using your key
- The file is decrypted on-the-fly
- You see your file — without us ever storing it unencrypted
Why is This Secure?
Bank-Grade
AES-256 is the same algorithm used by banks and governments worldwide.
Random Salt
Each file has its own salt — even identical files look different when encrypted.
Zero-Knowledge
We never store your key. No link = no decryption possible.
Technical Details
| Algorithm | AES-256-CBC |
| Key Derivation | scrypt (CPU + Memory intensive) |
| Key Length | 256 bits (32 bytes) |
| Salt | 128 bits (16 bytes), random per file |
| IV (Initialization Vector) | 128 bits (16 bytes), random per file |
| Password Length | 64 characters (hex-encoded, 256 bits of entropy) |
Encrypted File Format (V2)
The version byte (0x02) enables backwards compatibility with older encryption formats.
Frequently Asked Questions
Can staff members see my files?
No. Without the key from your link, the file is just unreadable garbage. We never store this key.
What happens if I lose the link?
The file is then irreversibly lost. We cannot recover it without the key.
Is AES-256 really secure?
Yes. To brute-force a 256-bit key with current technology would take longer than the age of the universe. AES-256 is NSA-approved for TOP SECRET documents.
Why scrypt instead of PBKDF2?
scrypt requires significant memory, making brute-force attacks with specialized hardware (GPUs, ASICs) extremely difficult.
Can I use my own encryption?
You can set a personal encryption key in your dashboard. This additionally encrypts your file keys — allowing you to manage all your uploads at a glance.
More documentation: API: Upload via HTTP