1Key derivation β your password is stretched using PBKDF2-SHA256 with 600,000 rounds and a random 16-byte salt. Makes brute-forcing extremely expensive.
2Encryption β AES-256-GCM encrypts the file and its original filename together. The auth tag detects any tampering with the output.
3Output β a .venc file is downloaded. The real filename is hidden inside. Share over any channel β without the password it reveals nothing.
4Decryption β switch to Decrypt, drop the .venc file, enter the same password. Original file restored locally.