Client-side AES-256-GCM encryption for transcripts. Your data is encrypted in the browser before it reaches our servers — even we can't read it.
- Your password → PBKDF2 (100,000 iterations) → 256-bit encryption key
- Transcript text → AES-256-GCM encrypt with key → encrypted blob
- Encrypted blob stored on server (we can't read it)
- You view transcript → fetch encrypted blob → decrypt locally in browser
The encryption key never leaves your browser. We never see your password or your unencrypted data.
// Derive key from password + email (salt)
const key = await STTEncryption.deriveKey(password, email);
// Encrypt
const encrypted = await STTEncryption.encrypt(text, key);
// Decrypt
const decrypted = await STTEncryption.decrypt(encrypted, key);
// Encrypt full transcript with segments
const encryptedTranscript = await STTEncryption.encryptTranscript(transcriptData, key);- Algorithm: AES-256-GCM (authenticated encryption)
- Key derivation: PBKDF2 with 100,000 iterations and SHA-256
- Salt: User's email (unique per user)
- IV: Random 12 bytes per encryption (never reused)
- Implementation: Web Crypto API (browser-native, no dependencies)
MIT License — use it however you want. We open-sourced this so anyone can audit it.
- STT.ai — Free speech to text
- How it works — Full security explanation