Your browser generates a fresh 256-bit AES-GCM key using the Web Crypto API. The key lives only in this tab's memory.
The file is encrypted in-browser. The ciphertext — not the original file — is what gets shared. Filename and contents are both inside the encrypted blob.
WebTorrent seeds the encrypted blob from your tab directly to recipients using WebRTC data channels. No file ever hits a server.
You get a link containing the magnet URI and the decryption key
— after the #. Browsers never send anything after
# over the network, so the key can't leak to GitHub
Pages, DNS, or any proxy.
The recipient opens the link, joins the swarm, downloads the ciphertext peer-to-peer, and decrypts it in their browser with the key from the fragment. Original filename is recovered.