The professional open-source steganography tool.
Hide any file inside an ordinary image using AES-256-GCM encryption and LSB steganography — entirely on your device. Runs in the browser, on the desktop, and on mobile.
StegaShare is a cross-platform steganography application that lets you securely conceal documents inside ordinary images. A PDF, ZIP, DOCX, or any other file is:
- Compressed using Deflate
- Encrypted with AES-256-GCM + a PBKDF2-derived key
- Invisibly woven into the Least Significant Bits (LSB) of the carrier image's pixels
The resulting image looks completely identical to the original. Only someone with the correct password and StegaShare can recover the hidden document.
Zero-knowledge design: All operations happen locally on your device. No data is ever sent to a server.
| Home | Embed | Extract |
|---|---|---|
| (Hero page with feature overview) | (3-step guided embed flow) | (2-step guided extract flow) |
StegaShare is a monorepo with a shared Rust cryptographic core used across all platforms:
steganography/
├── stega-core/ # 🦀 Shared Rust library (the cryptographic brain)
│ └── src/
│ ├── pipeline.rs # Full embed + extract orchestration
│ ├── encryptor.rs # AES-256-GCM + PBKDF2-SHA256
│ ├── embedder.rs # LSB pixel manipulation
│ ├── extractor.rs # LSB pixel decoding
│ ├── compressor.rs# Deflate compression
│ ├── validator.rs # Capacity analysis
│ ├── header.rs # Payload header format
│ └── error.rs # Typed error variants
│
├── stega-core-wasm/ # 🌐 WASM wrapper (wasm-pack + wasm-bindgen)
│ └── src/lib.rs # Exposes stega-core as JS-callable functions
│
├── src-tauri/ # 🖥️ Tauri v2 desktop shell (Windows, macOS, Linux)
│ └── src/lib.rs # Tauri commands that invoke stega-core natively
│
└── app/ components/ hooks/ lib/ store/ # ⚛️ Next.js 16 + React 19 frontend
├── app/page.tsx # Landing page
├── app/embed/ # Embed workflow
├── app/extract/ # Extract workflow
├── components/ # FileDropzone, CapacityBar, PasswordInput, …
├── hooks/ # usePlatform (WASM vs Tauri), useStega
└── store/ # Zustand global state
The usePlatform hook transparently selects the correct backend at runtime:
Browser → WebAssembly (stega-core-wasm) ──┐
├──► stega-core (Rust)
Desktop → Tauri IPC (src-tauri) ───────┘
This guarantees that the cryptographic logic is identical on all platforms.
User File
│
▼
[Deflate Compress] # Reduces file size before encryption
│
▼
[PBKDF2-SHA256] # Key derivation
password + random_salt # 96-bit cryptographically random salt
200,000 iterations # OWASP-recommended for PBKDF2-SHA256
→ 256-bit AES key
│
▼
[AES-256-GCM Encrypt] # Authenticated encryption
random_iv (96-bit) # Unique IV per operation
→ ciphertext + auth_tag # GCM tag prevents tampering
│
▼
[Header + Payload] # [salt|iv|tag|length|ciphertext]
│
▼
[LSB Embedding] # 1 bit per RGB channel per pixel
→ Stego PNG Image
| Property | Implementation |
|---|---|
| Confidentiality | AES-256-GCM (256-bit key) |
| Integrity | GCM Authentication Tag (wrong password → immediate rejection) |
| Key Derivation | PBKDF2-SHA256, 200,000 iterations, random 96-bit salt |
| IV Uniqueness | Cryptographically random 96-bit IV per embed |
| Compression | Deflate (reduces plaintext size before encryption) |
| Output Format | PNG (lossless — JPEG destroys LSB data) |
| Zero-Knowledge | All operations run locally; no network calls |
- Node.js 18+ or Bun
- pnpm (recommended) or npm
- Rust 1.78+ (for WASM/Desktop builds)
- wasm-pack (for Web builds)
git clone https://github.com/you/stegashare.git
cd stegashare/steganographypnpm install
# or
npm installThis compiles the Rust core into a
.wasmfile that the browser can load.
npm run build:wasmThe output is placed in lib/wasm-gen/ and is automatically imported by the WASM bridge.
pnpm dev
# or
npm run devOpen http://localhost:3000.
The desktop app uses the native Rust stega-core directly for maximum performance.
# Install Tauri CLI
cargo install tauri-cli
# Run in development mode
npm run tauri:dev
# Build a distributable binary
npm run tauri:buildSupported targets: Windows, macOS, Linux.
Tauri v2 enables full mobile support using the same Rust core.
# Run on Android Emulator/Device
npm run tauri:android
# Run on iOS Simulator/Device
npm run tauri:ios# Run Rust unit tests for the core library
cd stega-core
cargo test
# Run Next.js linting
pnpm lintThe top-level orchestration. Calls compressor → encryptor → embedder in sequence.
Handles all cryptography: PBKDF2 key derivation, AES-256-GCM encrypt/decrypt, random IV/salt generation.
Iterates over every pixel in the carrier image, replacing the LSB of each RGB channel with one bit of the encrypted payload.
Reverses the embedding: reads LSBs from pixel channels, reconstructs the payload bytes, validates length, and returns the raw encrypted blob.
Thin wasm-bindgen wrapper that exposes embed_wasm, extract_wasm, and check_capacity_wasm to JavaScript.
Runtime platform detection. Returns a StegaBridge interface backed by either the WASM module (browser) or Tauri IPC commands (desktop).
Zustand store managing all UI state: uploaded files, password, progress, capacity info, results, and errors.
Contributions are warmly welcome! Here's how to get started:
- Fork the repository
- Create a branch for your feature:
git checkout -b feat/my-feature - Commit your changes:
git commit -m 'feat: add my feature' - Push to your branch:
git push origin feat/my-feature - Open a Pull Request and describe your changes
- Follow the existing code style (Rust:
rustfmt, JS/TS: ESLint) - Add JSDoc / Rust doc comments to public APIs
- Keep cryptographic logic in
stega-coreonly — never in the frontend - Include tests for any new cryptographic functionality
- Update this README if you change the architecture
- Add a drag-and-drop reorder for the progress steps
- Add a "copy to clipboard" button on the success card
- Improve error messages for malformed stego-images
- Write integration tests for the WASM bridge
- Add dark mode toggle
Q: Is this truly secure? A: The cryptography is sound — AES-256-GCM is an AEAD cipher approved by NIST. The security ultimately depends on the strength of your password. Use a long, unique passphrase.
Q: Can I use JPEG images as the carrier? A: No. JPEG is a lossy format that destroys the LSB data during compression. StegaShare always outputs PNG, which is lossless.
Q: What happens if I use the wrong password? A: AES-GCM's authentication tag will fail immediately. StegaShare reports "Wrong password" — no partial data is returned.
Q: How much data can I hide?
A: Roughly (width × height × 3) / 8 bytes, minus header overhead. A 1920×1080 image can hold approximately 780 KB of raw data (more if your document compresses well).
Q: Does StegaShare send my data anywhere? A: Never. The app runs entirely in your browser (WASM) or natively (Tauri). There are no API calls, no analytics, no telemetry.
Distributed under the MIT License. See LICENSE for details.