# Elba — Knowledge Base
> A single-file, machine-readable knowledge base of everything published on https://elba.works. Intended for AI crawlers, LLM indexes, and anyone who wants Elba's writing in one place. Generated 2026-07-16.

Elba is a one-file program that seals a folder on your own computer with AES-256-GCM. No account, no server, no cloud, no telemetry. One HTML file, one password, one folder. Buy once — the price falls every year (€49 in 2026, €39 in 2027, €29 in 2028, €19 in 2029) and the entire source becomes MIT-licensed on 1 January 2030. Made by Meanwhile, a small studio.

## At a glance
- **Product**: Elba, a single HTML file that encrypts a folder locally.
- **Algorithm**: AES-256-GCM, key derived from your passphrase (PBKDF2). Runs via WebCrypto inside a Chromium browser (Chrome, Edge, Brave, Arc).
- **Network**: none. Elba makes no network requests, has no account, and never phones home.
- **Recovery**: there is no reset link. If you lose the password, the sealed folder is unrecoverable — this is the whole point.
- **License**: paid commercial license until 31 December 2029; MIT from 1 January 2030 ("mortalware").
- **Price ladder**: €49 (2026) → €39 (2027) → €29 (2028) → €19 (2029) → free & open source (2030).
- **Purchase**: one-time, via Paddle. Delivered as a direct download from the checkout success page.
- **Maker**: Meanwhile — a small studio. Contact via /contact.

## Site map
- [/](https://elba.works/) — Home — what Elba is, and the manifesto behind it.
- [/buy](https://elba.works/buy) — Buy Elba — one-time purchase, price ladder, download on success.
- [/manual](https://elba.works/manual) — Manual — how to use Elba, plus print/screen/Markdown downloads.
- [/journey](https://elba.works/journey) — Journey — annotated screenshots of first-run to daily use.
- [/manifesto](https://elba.works/manifesto) — Manifesto — why Elba exists and what it refuses to do.
- [/license](https://elba.works/license) — License — commercial terms today, MIT from 2030.
- [/verify](https://elba.works/verify) — Verify — how to check the file you downloaded is the file we shipped.
- [/changelog](https://elba.works/changelog) — Changelog — what changed and when.
- [/reviews](https://elba.works/reviews) — Reviews — what people have said about Elba.
- [/faq](https://elba.works/faq) — FAQ — short answers to common questions.
- [/contact](https://elba.works/contact) — Contact — how to reach Meanwhile.
- [/journal](https://elba.works/journal) — The Journal — essays on privacy, mortalware, and small software.
- [/guides](https://elba.works/guides) — Guides — longform explainers on local encryption and privacy.
- [/answers](https://elba.works/answers) — Answers — short, direct answer pages to specific queries.
- [/terms](https://elba.works/terms) — Terms of sale and use.
- [/privacy](https://elba.works/privacy) — Privacy — what we do and don't collect (almost nothing).
- [/refunds](https://elba.works/refunds) — Refund policy.
- [/sitemap.xml](https://elba.works/sitemap.xml) — Full list of indexable URLs.
- [/feed.xml](https://elba.works/feed.xml) — RSS feed for the Journal.
- [/llms.txt](https://elba.works/llms.txt) — Compact map of the site for LLMs.
- [/knowledge-base.md](https://elba.works/knowledge-base.md) — This file — the complete knowledge base.

## Core principles
**Local, not cloud.** Encryption happens in your browser tab, using WebCrypto. Your files, your key, and the fact that you opened them never cross the network.
**One folder, one password.** No accounts, no volumes, no mount step, no admin rights. Point Elba at a folder; it writes a sealed bundle next to it.
**No back door.** There is no reset link because there is no one on the other end of it. A door only you can open is also a door only you can lose.
**One thing in colour at a time.** Elba's UI keeps every sealed room grey and unreadable except the single item you have unlocked. Most software wants to look busy — Elba wants to look asleep.
**Mortalware.** Elba has a written expiry on secrecy. On 1 January 2030 the entire source becomes MIT-licensed, forever. The commercial price falls each year until then.
**Enough.** A tool that protects you from being squeezed cannot itself be a subscription. Elba is a one-time purchase.

## How Elba works, in one page
You download one HTML file. You open it in a Chromium-family browser (Chrome, Edge, Brave, Arc). The tab is now the program.
You choose a folder on your own machine (via the browser's File System Access API) and set a passphrase. Elba derives a key from your passphrase using PBKDF2 and encrypts your files with AES-256-GCM. The passphrase is never stored; the key is never written to disk.
Inside Elba, your folder becomes an "island" — a collection of "rooms" (subfolders) and files. Only the item you actively open is decrypted into memory; everything else stays sealed. Close the tab and the key is gone.
The sealed bytes are ordinary files. You can back them up to a USB stick, Dropbox, iCloud, or a hard drive in a shoebox. The cloud holds your island; it cannot set foot on it.

## Threat model & honest limits
- Elba protects **data at rest**: a stolen laptop, a lost drive, a compromised backup.
- Elba does **not** protect a machine that is currently compromised: keyloggers, malware, or an attacker with root can read what you type.
- Elba does **not** offer plausible deniability, hidden containers, or shared multi-user access. For those, VeraCrypt is the honest answer.
- Elba requires **Chromium**. Firefox and Safari do not (yet) implement the File System Access API Elba relies on.
- Elba has **no password recovery**. Write your passphrase down and store it somewhere safe.

## License, price, and the 2030 date
Elba is sold under a commercial single-user license until 31 December 2029. On 1 January 2030, without ceremony, the entire source is released under the MIT license, forever. Anyone who bought a copy keeps it and gains the source; anyone who waited gets it for free.
The price falls each year because the remaining commercial life falls each year. By 2030 the right to sell it reaches zero, so the price does too. This is what we mean by mortalware.

## The Journal — essays
_6 posts, newest first._

### Enough
*4 July 2026 · 6 min · Philosophy, License, Business*
URL: https://elba.works/journal/enough

_On subscriptions, saturation, and letting a small thing become everyone's._

The software industry has a favourite word, and it is not 'finished'. It is 'recurring'. A subscription turns a product into a relationship, and then slowly turns the relationship into a rent. You stop owning the thing and start paying for permission to keep using it.
We did not want that for Elba. A privacy tool that asks you to keep trusting us, month after month, is a privacy tool that has already made its first compromise. We want to sell you the island, hand you the key, and close the gate behind you. What happens after that is between you and the folder.
So Elba is €49 once. Not because subscriptions are immoral, and not because we are above making money. But because the right shape of this particular tool is a single transaction. You buy it, you own it, it stops asking you for things.
There is a second part to this, and it is the date in the license: 1 January 2030. Four years after launch, Elba becomes open source under MIT. Not because we ran out of things to sell, but because we will have made enough.
'Enough' is an unfashionable word in business. It implies a stopping point, a place where more is not better. But we think it is the right word for a tool that is supposed to protect you from being squeezed. If we are still trying to extract value from Elba in 2030, we are probably extracting value from you in ways we promised not to.
Mortalware, we call it. Software with a planned end to its commercial life, not to its usefulness. The price falls each year because the remaining time we have the right to sell it falls each year. By 2030, that right reaches zero. Elba is not sold; it is released.
We hope this is good for you. It is also good for us. A business that knows when to stop is a business that does not have to keep inventing reasons to exist. We can build Elba well, sell it honestly, and then let it belong to the world. That is the kind of company we want to be: one that makes a thing, charges for it once, and knows when it has done enough.

---

### The landlord and the key
*18 June 2026 · 6 min · Philosophy, Encryption*
URL: https://elba.works/journal/the-landlord-and-the-key

_On the quiet difference between renting a room and owning one._

You would not hand your office key to your landlord. Not because he is a bad man, and not because you have anything unusual to hide. You would not do it because a key you have given away is no longer, in any meaningful sense, yours. It's a piece of paper that says you agree to be trusted.
And yet most of us have done exactly that with our files. We took the whole cabinet — the letters, the drafts, the bank statements, the photos of the children — and put it in a room we don't own, with a lock we did not choose, held open by someone whose name we vaguely recognise from a startup page.
The word we were sold, of course, was secure. It's a slippery word. Most of the time it describes the corridor the file walks down, not the room it ends up in. Encrypted in transit. Encrypted at rest. Encrypted, everyone agrees, right up to the moment the provider decides — or is politely asked, in a language written by lawyers — to decrypt it.
This is the part nobody quite says out loud: if someone else holds the key, the door is not really locked. It's just closed. There's a difference, and you learn it the hard way, usually in the small print.
There is another way to do this, and it is older than the cloud. You keep the key. The file lives in a sealed box on your own machine. The box can travel — you can email it to yourself, drop it in a shared folder, back it up to a hard drive in a shoebox — and it stays sealed the entire time. Wherever it goes, it goes as a stranger. Only your password, held nowhere but in your head, can introduce it.
This is what Elba does, and it's almost embarrassingly modest about it. It draws a fence around a folder on your computer. Inside the fence, your files are yours in the plain, boring sense of the word. Outside the fence, nothing changes. The world can carry on being the world.
There is a downside, and it would be dishonest not to mention it. If you forget your password, the fence stays closed forever. There is no one at the other end of a reset link, because there is no reset link. That isn't a rough edge we ran out of time to sand down. It's the whole point. A door that only you can open is also a door that only you can lose.
You will read, in longer pieces than this one, about hybrid post-quantum keyslots and per-chunk authenticated encryption and hardware security modules. All of that is true, and all of it is in the manual for anyone who wants it. But the human version is smaller. You keep the key. Nobody else has a copy. The building is still standing, but the lock on your door belongs to you.
That's the shift, and it isn't really technical. It's the moment you stop thinking of privacy as a service someone provides you, and start thinking of it as a room you own the key to. A cloud can hold your island. It just can't set foot on it.

---

### Why 2030
*8 May 2026 · 7 min · License, Philosophy*
URL: https://elba.works/journal/why-2030

_On selling software now and giving it away later._

There is a date in Elba's license. The first of January, 2030. On that morning — no ceremony, no announcement necessary — Elba stops being ours and becomes everyone's, under the MIT license, forever.
People ask why we didn't just make it free from the start. The honest answer is that free things tend to die. They get abandoned, or sold, or slowly turned into something else. Charging a fair price for a small tool is one of the few ways to keep it small.
But we didn't want to hoard it either. A tool that guards your private things ought to, one day, belong to the commons. The fewer parties who can quietly change what it does, the better. Publishing the whole source, eventually, is the strongest promise we can make about what Elba will always be.
So: pay now if you want it now. Wait, if you don't mind waiting. Either way, in 2030, it's yours.
We think of it as mortalware. Software with an end date that is not death.

---

### The one warning that matters
*19 April 2026 · 5 min · Security, Encryption*
URL: https://elba.works/journal/the-one-warning-that-matters

_There is no back door. There is no reset link. This is not a bug._

Every tool that promises to keep something safe eventually has to answer the awkward question: what if I forget?
Most of them answer it with a link. A reset. A friendly little email that says, don't worry, we've got you. The trouble is that the same link is available, in principle, to whoever else can pretend to be you for four minutes.
Elba doesn't have that link. There is no one at the other end of it. If you lose your password, what's inside the fence is gone.
It sounds harsh written down. In practice it means what your grandmother would have called: write it down and put it somewhere safe. Four random words. A sealed envelope. A note in the back of a book you love.
The absence of a back door is not a failure of hospitality. It's the exact reason no one else can walk in either.

---

### The grey island
*2 April 2026 · 4 min · Design*
URL: https://elba.works/journal/the-grey-island

_What we mean when we say only one thing is in colour at a time._

Open Elba and, at first, everything is grey. Rooms, notes, files — all sealed, all quiet, like stones on a beach at dusk.
You open one thing. It turns to colour. You close it, and it goes grey again, back to the beach, back to the pile.
This is not decoration. It is the shape of the promise. At any moment, exactly one thing is legible on your screen. Everything else is nothing but sealed data, both to us and to you.
The grey is honest. It says: I could tell you what this is, but only if you asked. It says: you don't have to see all of it, all the time, to know it's still there.
Most software wants to look busy. Elba wants to look asleep.

---

### On fencing a folder
*14 March 2026 · 6 min · Design, Philosophy*
URL: https://elba.works/journal/on-fencing-a-folder

_Why a small piece of software should feel more like a garden wall than a vault._

You know that feeling of coming home and, without thinking, closing the door behind you. Not because you're afraid. Because inside is the part of the day that belongs to you.
Software rarely gives you that. It gives you accounts, sync icons, little green dots, receipts of your own existence sent quietly to strangers. It gives you the sensation of being read while you read.
Elba is smaller than that. It is a fence you draw around one folder. Everything inside is scrambled the moment you close it — not by us, not by anyone you have to trust, but by your own browser, using a key that lives only in your head.
The metaphor we kept coming back to, while making it, was the garden wall. Not a bunker. Not a panic room. A wall you can lean on. A gate you close because it is evening now, and the day is done.
There is a technical version of this story, and it is in the Manual. But the human version is simpler. You should be allowed to have a room that no one else can walk into. Not a special one. Just a room.

---

## Guides — longform explainers
_100 guides._

### Local file encryption with no cloud, no account
*Keyword: “local file encryption no cloud”.*
URL: https://elba.works/guides/local-file-encryption-no-cloud

Local file encryption means the encryption happens on your computer and the key never leaves it. No upload, no account, no server in the loop. Elba does exactly that: a single HTML file seals a folder with AES-256-GCM using a password only you know.

#### What ‘no cloud’ actually rules out
Most ‘privacy’ tools still send something — a license check, a telemetry ping, a filename to an indexer. Local file encryption, done properly, rules out all three. Nothing about your files, your key, or the fact that you opened them ever crosses the network.
Elba is delivered as an HTML file. When you open it in a Chromium browser it runs entirely inside that tab. Close the tab and it is gone; open it again and it is exactly what you saved.

#### Why local beats cloud, for the small case
Cloud-encrypted services are useful when you need many collaborators and device sync. For one person and one folder, they trade a real problem — surveillance and lock-in — for a convenience you may not need.
A local file encryption tool with no cloud has three quiet advantages: you can copy it, you can keep it forever, and no company can change its mind about you.

#### FAQ
- **Does Elba upload my files to encrypt them?** — No. Encryption happens in your browser tab. Files never leave your machine and Elba makes no network requests.
- **Do I need an account?** — No account, no login, no email required. You buy the file once and use it offline forever.
- **Can I still back it up to a cloud drive?** — Yes. The sealed folder is ordinary encrypted bytes — safe to sync to Dropbox, iCloud, or a USB stick. The cloud stores your island; it can't set foot on it.
- **What algorithm does it use?** — AES-256-GCM, derived from your password with PBKDF2. Standard, auditable, and readable in the source.

---

### A browser-based file encryption tool that never phones home
*Keyword: “browser based file encryption tool”.*
URL: https://elba.works/guides/browser-based-file-encryption-tool

A browser-based file encryption tool uses the browser's built-in crypto (WebCrypto) to encrypt files without installing an app. Elba is that tool, reduced to a single HTML file — you open it, enter a password, and the browser does the work locally.

#### Why a browser is a sensible place to do this
Every modern computer already ships a Chromium engine with an audited, hardware-accelerated AES-GCM implementation. Elba doesn't reinvent the primitive; it hands the work to the platform and stays out of the way.
The upside is portability. The same HTML file runs on Windows, macOS, Linux, and Chromebook without change. The downside is that Elba needs a Chromium-family browser — Chrome, Edge, Brave, Arc — to do its protective work.

#### What ‘runs in the browser’ does not mean
It does not mean ‘runs in the cloud’. Nothing about your files goes to any server. It does not mean ‘needs internet’ — after the first download, Elba works fully offline.
It means the sandbox that already isolates your web tabs also isolates the tool that reads your journal.

#### FAQ
- **Which browsers work?** — Any Chromium-based browser: Chrome, Edge, Brave, Arc, Vivaldi. Firefox and Safari currently lack the File System Access API Elba uses.
- **Do I need to be online?** — Only to download the HTML file the first time. After that Elba is fully offline.
- **Is browser crypto safe enough?** — The WebCrypto API is the same primitive banks and password managers rely on. Elba uses AES-256-GCM through that API.

---

### Offline file encryption in a single HTML file
*Keyword: “offline file encryption html”.*
URL: https://elba.works/guides/offline-file-encryption-html

Offline file encryption in an HTML file sounds like a contradiction — until you remember your browser is a fully capable local runtime. Elba is a single .html document that, when opened offline, encrypts and decrypts a folder on your machine.

#### Why HTML, of all things
Because it is the most portable executable format on earth. Every operating system in current use can read one. No signing, no store, no compatibility layer.
You can copy Elba to a USB stick, email it to yourself, print it out if you want. It will still be Elba in ten years.

#### Airplane mode is a first-class use case
Elba was designed to be used with the network cable pulled. Journalists, lawyers, and travellers use it exactly that way. It has no ‘could not connect’ error state because it never tries to connect.

#### FAQ
- **Can I use Elba on a plane?** — Yes. Elba works fully offline once the HTML file is on disk.
- **Do I need to install anything?** — No. Double-click the HTML file (or open it via the included launcher) and it runs.
- **Is the source auditable?** — The whole program is inside the HTML file. You can open it in any text editor and read it.

---

### Single-HTML-file encryption: why one file is the feature
*Keyword: “single html file encryption”.*
URL: https://elba.works/guides/single-html-file-encryption

Single-HTML-file encryption is exactly what it sounds like: the whole program lives in one .html document. It is Elba's smallest brag and its most important one — you can read the entire tool in a text editor before you trust it.

#### One file is auditable in an afternoon
Most encryption apps are millions of lines across dozens of dependencies. Elba is one file, a few thousand lines, no external libraries pulled at runtime. A curious engineer can read it end to end in an afternoon.

#### One file is also immortal
There is no update server that can quietly disable it. There is no store that can pull it. The version you bought is the version you keep.

#### FAQ
- **Really one file? No dependencies?** — Really one file. The crypto is browser-native (WebCrypto). No CDN, no bundler, no runtime downloads.
- **What if the format changes?** — The file format is documented in the manual and will remain readable. On 1 January 2030 Elba becomes MIT open source, guaranteeing that in perpetuity.

---

### How to encrypt files without uploading them anywhere
*Keyword: “encrypt files without uploading”.*
URL: https://elba.works/guides/encrypt-files-without-uploading

To encrypt files without uploading them, you need a tool that runs entirely on your device and derives its key from something only you have. Elba does both: a local HTML program that turns your password into an AES-256-GCM key inside your browser.

#### The upload isn't ‘for encryption’
When a service asks you to upload a file ‘to encrypt it’, encryption is almost never the reason. The reason is indexing, feature parity, or resale. Elba refuses the whole trade.

#### What ‘local’ has to prove
A tool that promises not to upload should also be inspectable. Elba's whole source is in the HTML file, and DevTools' Network tab shows exactly zero outbound requests while it runs.

#### FAQ
- **Can I verify no upload is happening?** — Yes. Open DevTools → Network in your browser while using Elba. You'll see no requests.
- **What about crash reports or analytics?** — There are none. Elba has no analytics, no error reporting, no telemetry of any kind.

---

### How to encrypt files locally, in under a minute
*Keyword: “how to encrypt files locally”.*
URL: https://elba.works/guides/how-to-encrypt-files-locally

The shortest honest answer to ‘how do I encrypt files locally?’ is: pick a tool that runs on your machine, give it a strong password, and back that password up somewhere physical. Here is that flow with Elba, in four steps.

#### The four steps
1. Download Elba.html and put it wherever you want (Documents, a USB stick, an external drive).
2. Double-click the launcher for your OS. Elba opens in a Chromium browser tab.
3. Point Elba at the folder you want to seal. Enter a password of at least 12 characters (a four-word passphrase is fine).
4. Close the tab when you're done. The folder is now sealed at rest.

#### The part everyone gets wrong
Write the password down. On paper. Put it somewhere you'd put a spare key. There is no reset link — that's the whole point — so treat the password like the deed to a house, not a login.

#### FAQ
- **How strong does the password need to be?** — Twelve characters minimum. Four random words (a ‘passphrase’) is easy to remember and strong enough.
- **Can I change the password later?** — Yes. You can re-seal the folder with a new password at any time from inside Elba.
- **What if I forget it?** — The contents are unrecoverable. This is by design and is what makes Elba trustworthy — see our guide on forgotten encryption passwords.

---

### An encryption tool for sensitive documents that fits on a USB stick
*Keyword: “encryption tool for sensitive documents”.*
URL: https://elba.works/guides/encryption-tool-for-sensitive-documents

Sensitive documents — contracts, medical notes, HR files, client records — deserve an encryption tool that is small, boring, and offline. Elba is a single HTML file that seals a folder of documents with AES-256-GCM.

#### The threat model most people actually have
Most people worrying about sensitive documents are not worrying about a nation-state. They are worrying about a stolen laptop, a shared drive, a nosy colleague, or an old backup that never got deleted. Local at-rest encryption handles all four.

#### Boring is the feature
The best encryption tool for sensitive documents is one you'll actually use. Elba has no dashboard, no plan tiers, no cross-sell. You open a folder, you close a folder. That's it.

#### FAQ
- **Is this HIPAA / GDPR compliant?** — Elba provides AES-256-GCM at-rest encryption, which is the technical control both frameworks reference. Compliance is a matter of your policies; the tool gives you the primitive.
- **Can I share sealed files with a colleague?** — Yes. Send them the sealed folder and the password over separate channels. Both sides use the same Elba file to unseal.

---

### Secure file encryption for journalists (2026 guide)
*Keyword: “secure file encryption journalist”.*
URL: https://elba.works/guides/secure-file-encryption-for-journalists

Secure file encryption for journalists needs three things: it has to be offline, it has to leave no receipts, and it has to be readable enough to be trusted. Elba is a single HTML file that meets all three.

#### No receipts
Elba does not check a license, does not report usage, does not know your name. There is no account tying you to a file. There is no server that could be subpoenaed.

#### Field-ready
Because Elba is a single HTML file, it fits on a USB stick alongside your notes. Open it on a hotel laptop, a borrowed machine, or your own — it behaves the same.

#### Duress and denial
Elba does not have a duress password (a fake password that opens a decoy folder). If your threat model requires that, Elba is not enough on its own — combine it with disk-level tools like VeraCrypt hidden volumes.

#### FAQ
- **Can Elba be compelled to hand over my files?** — There is no ‘Elba’ that could — no server, no account, no key escrow. The publisher cannot decrypt your folder.
- **Does it work on a Chromebook?** — Yes. Chromebooks ship with Chromium and are one of the safest field devices for Elba.

---

### File encryption with no installation required
*Keyword: “file encryption no installation required”.*
URL: https://elba.works/guides/file-encryption-no-installation-required

‘No installation required’ usually means ‘we hid the installer’. Elba means it literally: there is no installer, no admin prompt, no system service, no registry key. You copy one HTML file and run it.

#### Works on locked-down machines
Corporate laptops, university machines, and library computers often refuse installers. Elba runs anyway because there is nothing to install — the browser opens an HTML file.

#### Nothing to uninstall
Delete the file. Empty the trash. Done. There is no leftover cache to hunt down.

#### FAQ
- **Do I need admin rights?** — No. Elba runs from a folder your normal user can read.
- **Where does it store settings?** — Nowhere. Elba has no settings, no config file, and no local storage outside the folder you seal.

---

### What is mortalware? Software that dies into the commons
*Keyword: “mortalware”.*
URL: https://elba.works/guides/what-is-mortalware

Mortalware is software that is sold for a while and then, on a pre-declared date, becomes open source and free for everyone — forever. It is a small idea with a large consequence: the maker cannot rent-seek their way past the finish line.

#### Why give it away
Because the value of a small, useful tool is highest when it is new and shrinks over time. Mortalware makes that curve honest: the price falls every year and reaches zero on the announced date.
Elba's date is 1 January 2030. On that morning it becomes MIT-licensed. Not disabled. Freed.

#### What the buyer gets that a subscription can't offer
Permanence. Your copy will keep working whether the maker is still around or not. If they vanish, the file still runs. If they change their mind, the license still says what it said.

#### How mortalware differs from ‘eventually open source’
‘Eventually open source’ is a promise. Mortalware writes the date into the license the day it ships. There is no ‘we're evaluating our roadmap’ escape hatch.

#### FAQ
- **What happens on 1 January 2030?** — Elba's license switches to MIT. The source is already in the HTML file; the switch removes the ‘please pay for it’ layer.
- **Is this the same as source-available?** — No. Source-available means you can read it but not use it freely. Mortalware becomes fully free-and-open on a fixed date.
- **Why not just open source it now?** — Because paying the makers for a few years buys careful maintenance. The point is the sunset, not the paywall.

---

### Software that becomes free over time (and why that's the point)
*Keyword: “software that becomes free over time”.*
URL: https://elba.works/guides/software-that-becomes-free-over-time

Software that becomes free over time is not a discount. It is a promise, written into the license, that the maker will let go on a specific date. Elba's price falls each year and reaches zero on 1 January 2030.

#### The ladder
€49 in 2026, €39 in 2027, €29 in 2028, €19 in 2029, free in 2030. What you pay is the value of the time the maker still owns it — and that shrinks to nothing.

#### Why this beats a subscription for a small tool
Subscriptions align the maker with keeping you paying. A declining-then-free schedule aligns them with getting the tool good enough to release. It's a very different job.

#### FAQ
- **If I buy in 2026 and the price drops in 2027, do I get a refund?** — No, but you got a whole year of exclusive use, plus every update along the way.
- **Can the schedule change?** — The 2030 date is written into the license and can only move earlier, never later.

---

### Sovereign computing tools: owning a room in your own machine
*Keyword: “sovereign computing tools”.*
URL: https://elba.works/guides/sovereign-computing-tools

Sovereign computing tools are programs that run on your device, hold no data of yours anywhere else, and can be read, copied, and kept by you indefinitely. They are the opposite of tenant software — you are not renting a room, you own it.

#### The three tests
A sovereign tool passes three tests: it works fully offline, its source is inspectable, and it will keep working if the maker disappears. Elba passes all three.

#### Why the category matters now
The default is drift toward tenancy: your writing lives in someone's doc, your notes in someone's app, your photos in someone's cloud. Sovereign tools are the small counterweight — one folder at a time.

#### FAQ
- **Is sovereign computing the same as self-hosting?** — Related but smaller. Self-hosting means running your own server; sovereignty can be as modest as a single local file.
- **What other sovereign tools are worth knowing?** — Obsidian for notes, Syncthing for peer-to-peer sync, age or GPG for command-line encryption, and Elba for folder-level at-rest encryption.

---

### Digital self-defence tools: a short, practical shelf
*Keyword: “digital self defense tools”.*
URL: https://elba.works/guides/digital-self-defense-tools

Digital self-defence tools are the small, boring programs that make surveillance more expensive without demanding a new lifestyle. Here is the short shelf, with the piece Elba occupies.

#### The shelf
A password manager (Bitwarden, 1Password). A private browser (Brave, Firefox with uBlock Origin). A no-log VPN when travelling (Mullvad, IVPN). End-to-end messaging (Signal). And, for files on your own machine: local encryption.

#### Where Elba fits
Elba is the ‘files on your own machine’ layer. It doesn't replace anything above, and nothing above replaces it — a sealed folder is a category the others don't cover.

#### FAQ
- **Do I need all of these?** — No. A password manager and one form of local encryption is a reasonable minimum for most people.
- **Is this overkill for an ordinary person?** — The tools above are the digital equivalent of curtains and a house key. Ordinary is exactly who they're for.

---

### How to encrypt journal entries so nobody else can read them
*Keyword: “encrypt journal entries private”.*
URL: https://elba.works/guides/encrypt-journal-entries-privately

The right tool to encrypt a journal is a small one: a single file that seals a single folder and stays out of the way. Elba does that. Keep your daily entries as .txt or .md files in a folder and let Elba wrap the folder in AES-256-GCM.

#### A workflow that lasts
Plain text ages well. Write your entries in .md or .txt files with a date-based filename (2026-07-01.md). Put them in one folder. Let Elba be the fence around that folder.
In ten years you'll still be able to read the files, with or without Elba, because they're just text.

#### Why not the notes app?
Because notes apps sync. That is their job. If your journal is a place to think unsupervised, syncing is the wrong shape. A sealed local folder is the right shape.

#### FAQ
- **Can I still search my entries?** — Yes, once unsealed — any editor with folder search (VS Code, Sublime, Obsidian) works on the plain files.
- **Can I back it up?** — Yes. The sealed folder is safe to copy to Dropbox, iCloud, or a USB stick.

---

### A privacy tool for journalists (2026 shortlist)
*Keyword: “privacy tool for journalists 2026”.*
URL: https://elba.works/guides/privacy-tool-for-journalists-2026

In 2026 the useful shortlist for journalists is short: Signal for messages, Tails or a hardened laptop for the machine, and something small and offline for files. Elba fills the last slot.

#### What Elba adds to a working kit
It seals a folder locally with AES-256-GCM. No account, no telemetry, no server. The whole program is one HTML file you can read.

#### What Elba is not
Not a messenger, not a VPN, not a disk-encryption tool. It is a fence around one folder on one machine. That's the whole feature.

#### FAQ
- **Does it work on Tails?** — Tails ships with Chromium-based tools; Elba runs there. Always test in your specific setup before relying on it.
- **Can the maker help law enforcement decrypt my folder?** — No. There is no key escrow. The password lives in your head.

---

### How to encrypt files in countries with heavy censorship
*Keyword: “encrypt files in countries with censorship”.*
URL: https://elba.works/guides/encrypt-files-under-censorship

Where the network is watched, the right encryption tool is one that never uses the network at all. Elba is a single HTML file that runs offline in your browser, seals a folder with AES-256-GCM, and leaves no trace beyond the sealed folder itself.

#### The network-visible footprint
Zero. Elba does not fetch anything at runtime. Once the HTML file is on the device — copied from a USB stick, sideloaded from a friend, downloaded via Tor — no observer can tell it's being used.

#### Distribution matters as much as the tool
Because Elba is one file, it can be handed over on a memory card, printed as a QR-code chain (in principle), or sent as an email attachment. Every copy is a full copy.

#### FAQ
- **Does it need to be re-downloaded to work?** — No. Once you have the file, it works forever offline.
- **Can Elba hide that a folder is encrypted?** — No — sealed data looks like sealed data. If plausible deniability is your requirement, combine Elba with VeraCrypt hidden volumes.

---

### A portable encryption tool that fits on a USB drive
*Keyword: “portable encryption tool usb drive”.*
URL: https://elba.works/guides/portable-encryption-tool-for-usb-drive

A portable encryption tool has to run without installing, without admin rights, and without leaving crumbs on the host machine. Elba is a single HTML file plus a small launcher — a few hundred kilobytes on a USB stick.

#### Setup on a stick
Copy Elba.html and the launcher to your USB drive. Put the folder you want sealed next to them. That's the whole install.
Plug the stick into any Windows, Mac, Linux, or Chromebook machine with a Chromium browser and Elba runs.

#### Crumbs left behind
Elba writes nothing outside the folder you seal. When you unplug the stick, the host machine has no memory of the file having been opened, beyond the browser's normal recent-tabs list — which you can clear.

#### FAQ
- **Does it need admin rights on the host?** — No. A standard user account is enough.
- **What if the USB stick is lost?** — The sealed folder is useless without your password. Keep the password separate from the stick.

---

### The best file encryption without a subscription (2026)
*Keyword: “best file encryption without subscription”.*
URL: https://elba.works/guides/best-file-encryption-without-subscription

File encryption is one of the very few categories where a subscription buys you nothing the standalone tool doesn't already deliver. Here is the honest shortlist for 2026 — all one-time or free.

#### The shortlist
VeraCrypt (free) — disk and container encryption, powerful and technical. age (free) — modern command-line file encryption. GPG (free) — the venerable classic, best for signing and email. Elba (€49 one-time, declining) — folder-level at-rest encryption with a GUI, in one HTML file.

#### How to pick between them
If you want whole-disk or plausible deniability: VeraCrypt. If you're a developer and love the terminal: age. If you also need signing and PKI: GPG. If you want a small, offline, GUI-friendly fence around one folder: Elba.

#### FAQ
- **Is there any subscription file-encryption tool worth paying for?** — For teams, Cryptomator and Tresorit have cases. For a single person and a folder, one-time or free tools win.
- **Does Elba have a free tier?** — Yes — the whole thing becomes free on 1 January 2030 under MIT. Until then it is a one-time purchase at a declining price.

---

### One-time-purchase encryption software (and why it still exists)
*Keyword: “one time purchase encryption software”.*
URL: https://elba.works/guides/one-time-purchase-encryption-software

One-time-purchase encryption software is a small but stubborn category — the tools that treat you as an owner, not a tenant. Elba is one of them: pay once in a given year and the file is yours to keep, back up, and pass on.

#### Why one-time still makes sense
Encryption changes very slowly. AES-256-GCM has been standard for two decades. A tool that does it well does not need continuous new features — it needs to stay small and stay working.

#### What ‘forever’ actually means here
The HTML file works whether or not the maker still exists. There is no license server to check in with. On 1 January 2030 the license becomes MIT, guaranteeing the tool a life beyond the company.

#### FAQ
- **Do updates cost extra?** — No. Updates until 2030 are included with any purchase.
- **Can I use it on more than one machine?** — Yes. Copy the file to as many of your own machines as you like.

---

### An alternative to AxCrypt that isn't a subscription trap
*Keyword: “alternative to axcrypt free”.*
URL: https://elba.works/guides/alternative-to-axcrypt-free

AxCrypt used to be the friendly Windows file encryption tool; its current shape is a freemium ladder. If you want the old-fashioned deal — pay once, own the tool — Elba is a good alternative.

#### Where Elba wins
One-time purchase, no accounts, no cloud, works on any OS with a Chromium browser, source is readable in the HTML file. On 1 January 2030 it becomes MIT open source.

#### Where AxCrypt still wins
Right-click Windows Explorer integration and per-file (not per-folder) workflows. If those are your must-haves, keep AxCrypt.

#### FAQ
- **Can I migrate my AxCrypt files to Elba?** — Decrypt them with AxCrypt first, then move the plain files into a folder and seal that folder with Elba.
- **Is Elba cross-platform?** — Yes — it runs on Windows, macOS, Linux, and ChromeOS in any Chromium browser.

---

### Elba vs VeraCrypt: two different jobs, honestly compared
*Keyword: “elba vs veracrypt”.*
URL: https://elba.works/guides/elba-vs-veracrypt

VeraCrypt encrypts disks and containers; Elba encrypts a folder at the file-format level. They overlap enough to be confused and differ enough to matter. Here's the honest split.

#### Pick VeraCrypt if
You want a full-disk mounted volume, hidden volumes for plausible deniability, or a container that behaves like a virtual drive. VeraCrypt is the mature choice for those.

#### Pick Elba if
You want to seal a single folder without installing anything, keep the whole program in one HTML file, and never touch the network. Elba is smaller, portable, and designed to be readable end to end.

#### You can use both
A VeraCrypt container for the disk and Elba for a specific folder inside your normal filesystem is a perfectly reasonable layered setup.

#### FAQ
- **Is VeraCrypt more secure than Elba?** — They use comparable primitives. VeraCrypt has more features and more attack surface; Elba is smaller and easier to audit end-to-end.
- **Does Elba do hidden volumes?** — No. If plausible deniability is required, use VeraCrypt (or combine both).

---

### Elba vs Cryptomator: local folder vs cloud-transparent vault
*Keyword: “elba vs cryptomator”.*
URL: https://elba.works/guides/elba-vs-cryptomator

Cryptomator's job is to make cloud storage safe. Elba's job is to make one folder on your own machine private. Same word, different problems.

#### Pick Cryptomator if
You keep files in Dropbox / iCloud / Google Drive and want each file individually encrypted so the cloud can still sync. It has mobile clients and works nicely with mounted drives.

#### Pick Elba if
You want a fence around one folder, on one machine, with no accounts, no daemons, and one HTML file you can read. No mobile app, no cloud story beyond ‘back up the sealed folder if you want’.

#### FAQ
- **Can I put an Elba-sealed folder inside Dropbox?** — Yes. Dropbox will sync it as an opaque blob. Cryptomator does per-file sync; Elba does per-folder.
- **Do both use AES?** — Both use AES-based encryption; the file formats differ.

---

### Elba vs Boxcryptor (or: what to do now Boxcryptor is gone)
*Keyword: “elba vs boxcryptor”.*
URL: https://elba.works/guides/elba-vs-boxcryptor

Boxcryptor stopped serving individuals in 2024. If you're looking for a personal replacement, the honest options are Cryptomator (for cloud-mounted encryption) and Elba (for a sealed local folder).

#### Why Elba, specifically
Because ‘the vendor got acquired’ is exactly the risk mortalware is designed to remove. Elba's license becomes MIT on 1 January 2030 no matter what happens to the makers.

#### Migration in one paragraph
Decrypt your Boxcryptor files with your existing installation. Put the plaintext into a folder. Point Elba at that folder and set a password. Delete the Boxcryptor cache.

#### FAQ
- **Does Elba replicate Boxcryptor's cloud integration?** — No — Elba doesn't touch the network. Use Cryptomator for that shape.
- **Is Elba small enough for a USB stick migration?** — Yes — the whole program is one HTML file.

---

### Elba vs 7-Zip encryption: when a zip is enough (and when it isn't)
*Keyword: “elba vs 7zip encryption”.*
URL: https://elba.works/guides/elba-vs-7zip-encryption

7-Zip's AES-256 encryption is the free workhorse for one-off encrypted archives. Elba is a working folder you open and close daily. Different rhythms, different tools.

#### 7-Zip is right when
You want to send an encrypted archive by email once, or hand a client a sealed batch of files. It's a package.

#### Elba is right when
The folder is alive — you add and edit files daily and want it sealed again the moment you close it, without re-zipping.

#### FAQ
- **Is 7-Zip encryption safe?** — Yes — its AES-256 implementation is well-regarded. The friction is the daily-workflow shape, not the crypto.
- **Can I combine them?** — Yes — 7-Zip an archive, drop it into your Elba-sealed folder. Belt and braces.

---

### Elba vs BitLocker: disk vs folder, two layers of the same idea
*Keyword: “elba vs bitlocker”.*
URL: https://elba.works/guides/elba-vs-bitlocker

BitLocker encrypts your Windows disk while it's off. Elba encrypts a specific folder while your logged-in user is present. They protect against different attackers, and using both is normal.

#### BitLocker guards against
Someone stealing the powered-off laptop and pulling the drive.

#### Elba guards against
Someone reading a folder while your session is logged in, or picking up a file that's been backed up to the cloud or a spare drive.

#### FAQ
- **Is BitLocker enough on its own?** — For a stolen laptop, largely yes. For a specific ‘this folder is nobody else's business’ requirement, no.
- **Does Elba conflict with BitLocker?** — No. Elba's sealed folder sits happily inside a BitLocker-encrypted volume.

---

### Elba vs FileVault: macOS full-disk plus folder-level fencing
*Keyword: “elba vs filevault”.*
URL: https://elba.works/guides/elba-vs-filevault

FileVault protects your Mac when it's off. Elba protects a specific folder while you're logged in. Layered, not competing.

#### What FileVault doesn't do
Once you're logged in, every app you launch can, in principle, read your files. FileVault trusts your logged-in session; Elba does not.

#### Where Elba fits on a Mac
Sealed folder for the journal, contracts, tax files, or client notes. Everything else stays in the open filesystem.

#### FAQ
- **Does Elba work on Apple Silicon?** — Yes. Chrome, Edge, Brave, and Arc all run natively on M-series Macs.
- **Does Safari work?** — Not currently — Elba needs the File System Access API, which is Chromium-only.

---

### Elba vs age: a GUI for the ‘just encrypt this folder’ case
*Keyword: “elba vs age”.*
URL: https://elba.works/guides/elba-vs-age-encryption

age is what a good developer reaches for on the command line. Elba is what to hand someone who does not, and wants a folder sealed anyway.

#### age wins when
You script it, pipe it, or use it as part of a backup toolchain. It's small, composable, and elegant.

#### Elba wins when
The person using it doesn't want to know what a shell is. Point at a folder, set a password, close the tab.

#### FAQ
- **Can they interoperate?** — Not directly — different file formats. But you can age-encrypt an archive and drop it inside an Elba-sealed folder if you want two locks.

---

### Elba vs GPG: signing and PKI vs a small local fence
*Keyword: “elba vs gpg”.*
URL: https://elba.works/guides/elba-vs-gpg

GPG is a whole ecosystem — keyrings, web of trust, signing, encrypted email. Elba is a fence around one folder. If you're choosing, you're probably choosing between very different jobs.

#### GPG wins when
You need signed releases, encrypted email (PGP), or a web-of-trust identity. It's the standard.

#### Elba wins when
You just want a local folder sealed with a password and don't want to learn a keyring model to get there.

#### FAQ
- **Does Elba do public-key encryption?** — No. Elba is symmetric (AES-256-GCM) with a password-derived key. It is not a PGP replacement.

---

### Elba vs Proton Drive: sync vs sovereign
*Keyword: “elba vs proton drive”.*
URL: https://elba.works/guides/elba-vs-proton-drive

Proton Drive is a well-made encrypted cloud. Elba is deliberately not a cloud at all. Pick by what you need syncing between machines to do.

#### Pick Proton Drive if
You need mobile access, multi-device sync, and sharing links. You're trusting Proton with metadata but not file contents.

#### Pick Elba if
You want no cloud in the picture. No account, no server, no metadata anywhere but on your machine.

#### FAQ
- **Can I put Elba-sealed folders inside Proton Drive?** — Yes. Proton Drive will sync them as opaque blobs, giving you two layers of encryption.

---

### Elba vs Tresorit: team cloud vs personal folder
*Keyword: “elba vs tresorit”.*
URL: https://elba.works/guides/elba-vs-tresorit

Tresorit is built for teams and compliance. Elba is built for one person and one folder. If you're deciding between them, you're really deciding what job you're doing.

#### Tresorit is right when
You need shared folders, granular permissions, audit trails, and an SLA.

#### Elba is right when
You need one folder sealed on your own machine and would like the whole program to fit in one HTML file.

#### FAQ
- **Can Elba be used inside a company?** — For individual, per-user folders — yes. For team collaboration — no.

---

### File encryption for lawyers: privilege, at rest
*Keyword: “encryption for lawyers”.*
URL: https://elba.works/guides/encryption-for-lawyers

Attorney-client privilege deserves a technical control that is quiet, boring, and inspectable. Elba is exactly that — a single HTML file that seals a folder of client documents with AES-256-GCM.

#### Why local matters in a legal practice
A cloud provider can, in most jurisdictions, be compelled to produce documents. A folder sealed on your own machine with a password only you know cannot be produced by anyone else, because no one else has the key.

#### Fits inside existing case management
Elba does not replace your practice management software. It sits alongside — a sealed ‘private’ folder for work product, drafts, and correspondence you want off the shared drive.

#### FAQ
- **Does this meet ABA / bar guidelines on client data?** — Elba provides the technical control (strong at-rest encryption); compliance is a matter of your firm's written policies.
- **Can multiple attorneys share a sealed folder?** — Yes, over separate channels — share the folder and password securely. For team workflows, pair with a proper document system.

---

### File encryption for therapists and counsellors
*Keyword: “encryption for therapists”.*
URL: https://elba.works/guides/encryption-for-therapists

Session notes belong sealed by default. Elba is a single HTML file that encrypts a folder of notes with AES-256-GCM — no cloud, no account, no telemetry.

#### The ordinary risk model
The realistic risks aren't Hollywood: a laptop left on a train, a shared home computer, a cloud backup no one thought about. Local at-rest encryption addresses all three.

#### Practical setup
Keep one ‘clients’ folder. One sub-folder per client with plain-text or .md notes. Let Elba seal the top folder. Close the tab when you finish the day.

#### FAQ
- **Is this HIPAA-appropriate?** — AES-256 at rest is the technical standard HIPAA references. Written policies and access controls are the rest of the story.
- **Can I still use my EHR?** — Yes. Elba complements an EHR; it doesn't replace it.

---

### File encryption for doctors: HIPAA-grade, at rest
*Keyword: “encryption for doctors hipaa”.*
URL: https://elba.works/guides/encryption-for-doctors-hipaa

HIPAA names AES-256 as an acceptable at-rest control. Elba applies exactly that to a folder on your own machine, from inside your browser.

#### Scope
Elba is appropriate for the personal / secondary storage layer — research notes, personal reference files, drafts. It is not a replacement for a HIPAA-compliant EHR.

#### Compliance posture
Compliance is a combination of technical controls and written policies. Elba delivers the technical primitive; your practice provides the policy wrapper.

#### FAQ
- **Does Elba sign a BAA?** — Elba is a local tool; the publisher never touches your files, so a Business Associate Agreement doesn't apply in the usual sense.
- **Is 256-bit AES-GCM enough?** — It is the standard the regulation references and what modern cloud providers use themselves.

---

### File encryption for writers and novelists
*Keyword: “encryption for writers”.*
URL: https://elba.works/guides/encryption-for-writers-and-novelists

A manuscript is a private thing until it isn't. Elba is a small local tool that keeps your draft folder sealed while you write, without pretending to be a writing app itself.

#### Plain files, sealed folder
Keep chapters as .md or .txt files. Point Elba at the folder. Close when you're done. The folder is unreadable at rest, readable in one click while you work.

#### Not another writing app
Use iA Writer, Scrivener, Ulysses, or plain VS Code — whatever you like. Elba just adds a lock on the folder they open into.

#### FAQ
- **Will Scrivener projects work?** — Yes — Scrivener projects are folders. Seal the parent folder with Elba.
- **Can I back up sealed drafts to the cloud?** — Yes. The sealed folder is safe to sync to iCloud, Dropbox or a USB drive.

---

### File encryption for researchers: sealing research data on your own machine
*Keyword: “encrypt research data”.*
URL: https://elba.works/guides/encryption-for-researchers-and-academics

Research data — interview transcripts, participant records, unpublished results — is the class of file that most benefits from a small, offline fence. Elba is that fence for a folder.

#### Fits the IRB story
Most institutional review boards ask for ‘data encrypted at rest with a strong password’. Elba delivers exactly that primitive, and its source is inspectable in a single HTML file for your IT reviewer.

#### Portable across machines and years
One HTML file, no installer, no license server. The tool you used in year one of the study is the tool you'll be able to use in year five.

#### FAQ
- **Can we submit Elba for IT / IRB review?** — Yes — the whole program is one text file. Reviewers can read it end to end.
- **Does it work for interview audio?** — Yes. Any file type goes in the sealed folder.

---

### File encryption for activists and organisers
*Keyword: “encryption for activists”.*
URL: https://elba.works/guides/encryption-for-activists

Activists need tools with no metadata trail — nothing that ties a folder to a person or an organisation. Elba is a single HTML file with no account, no telemetry, and no server.

#### The ‘no receipts’ property
Elba does not check a license, does not identify you, and does not phone home. There is nothing on the maker's side that could be produced if requested.

#### Combine with the rest of the kit
Signal for comms, Tails or a hardened laptop for the machine, and Elba for the specific folder of files that need to stay sealed at rest.

#### FAQ
- **Can the maker be forced to help decrypt a folder?** — No — the maker never sees your files or your key. There is no capability to compel.
- **Is it OK on Tails?** — Elba runs in Chromium-family browsers; test in your specific Tails setup before relying on it in the field.

---

### File encryption for photographers: RAW files, sealed
*Keyword: “encryption for photographers”.*
URL: https://elba.works/guides/encryption-for-photographers

Photographers hold two kinds of sensitive files: client RAWs that aren't public yet and personal work that isn't for anyone. Elba seals a folder of either with AES-256-GCM.

#### Big folders are fine
Elba seals folders, not individual files, so a 200GB shoot folder is no different in principle from a 20MB one.

#### Backup story
Because the sealed folder is opaque bytes, cloud backup and cold-storage drives are both safe. Your backup provider never sees the images.

#### FAQ
- **Does Lightroom work with a sealed folder?** — Not while sealed. Unseal (open the folder in Elba), work in Lightroom, then close Elba to reseal.
- **Any performance impact?** — Encryption happens on close and decryption on open. While unsealed, the folder is a normal folder.

---

### File encryption for accountants and bookkeepers
*Keyword: “encryption for accountants”.*
URL: https://elba.works/guides/encryption-for-accountants

Client books, payroll, and tax returns are the files most likely to end up on a shared drive by accident. Elba is a small local tool that keeps them sealed by default.

#### One folder per client
The typical shape: a ‘clients’ folder with one sub-folder per client. Seal the top folder with Elba. Everything inside is opaque at rest.

#### Seasonal peace of mind
During tax season the sealed folder can live on your laptop, at the office, and on a backup drive — the same file, the same password, the same behaviour.

#### FAQ
- **Will my accounting software read from a sealed folder?** — Only while it's open. Open Elba, work in QuickBooks / Xero, close Elba to reseal.

---

### File encryption for designers: sealing source files and client work
*Keyword: “encryption for designers”.*
URL: https://elba.works/guides/encryption-for-designers-source-files

Designers hold source files clients paid for and unreleased work clients haven't seen yet. Elba is a one-file, offline fence around either.

#### Formats are agnostic
.psd, .ai, .sketch, .fig exports, .indd — Elba seals a folder, not a file type. Anything in the folder is sealed together.

#### Handover without cloud
Send a client the sealed folder and share the password through a separate channel. They open it with the same free Elba download you used to make it.

#### FAQ
- **Does Elba integrate with Figma?** — No — Figma is cloud-native. Elba is for the offline artifacts you keep on your own machine.

---

### File encryption for founders: cap tables, drafts, and quiet plans
*Keyword: “encryption for founders”.*
URL: https://elba.works/guides/encryption-for-founders-and-startups

Every founder has a folder that is not yet ready for the shared drive: term sheets in progress, cap-table scenarios, draft board decks. Elba is a small local fence around that folder.

#### The pre-share folder
Keep one ‘private’ folder on your laptop. Draft in there. When it's ready, copy the finished document out. Everything else stays sealed at rest.

#### Investor and legal comms
Send the sealed folder if you have to; share the password through a separate channel. The recipient opens it with the same free Elba download.

#### FAQ
- **Better than Google Drive with restricted sharing?** — Different — Google Drive still has your files; a sealed local folder does not leave your machine unless you copy it.

---

### AES-256-GCM, explained without a maths degree
*Keyword: “aes 256 gcm explained”.*
URL: https://elba.works/guides/aes-256-gcm-explained-simply

AES-256-GCM is the encryption primitive Elba uses. It is the same algorithm banks, messaging apps, and TLS use for the actual scrambling. Here it is in plain terms.

#### What each part means
AES is the algorithm — Advanced Encryption Standard, adopted by the US government in 2001 and unbroken since. 256 is the key length in bits — a very large number, chosen for a very large margin of safety. GCM is the mode — the wrapper that also detects tampering, not just scrambles.

#### Why GCM specifically
GCM (Galois/Counter Mode) gives you both confidentiality (nobody can read it) and authenticity (nobody can change it without you noticing). Older modes gave you only the first.

#### What AES-256-GCM does not do
It does not hide that a file exists. It does not protect against a keystroke logger reading your password. It does not save you if you forget the password. Elba's manual covers the honest edges.

#### FAQ
- **Is AES-256-GCM enough for personal files?** — Yes, comfortably. It is the standard modern cloud providers use themselves.
- **How is the key derived from a password?** — PBKDF2 with a per-folder salt, using many iterations to slow brute-force attempts.

---

### How client-side encryption works, in one page
*Keyword: “how client side encryption works”.*
URL: https://elba.works/guides/how-client-side-encryption-works

Client-side encryption is the property that your key exists only on your device. The server (if there is one) never sees your files unencrypted, and — crucially — never sees your key at all.

#### The two-line explanation
You type a password. Your device turns it into a key and uses that key to encrypt your files right there. Only encrypted output ever leaves your device — and in Elba's case, even that stays put.

#### Why it matters
Because ‘encrypted at rest’ is meaningless if the provider holds the key. Client-side encryption is the version where the provider genuinely cannot read your files — Elba pushes this to its limit by having no provider at all.

#### FAQ
- **Is end-to-end the same as client-side?** — End-to-end usually means between two endpoints; client-side means the encryption happens on the endpoint. Signal is both; Elba is client-side without a second endpoint.

---

### How to encrypt files on a Chromebook (properly)
*Keyword: “encrypt files on chromebook”.*
URL: https://elba.works/guides/encrypt-files-on-chromebook

Chromebooks are excellent field devices with a mediocre local encryption story. Elba fixes that with a single HTML file that uses Chrome's own crypto to seal a folder.

#### Setup on ChromeOS
Download Elba.html to the Downloads folder (or a Linux container, if you use one). Double-click. Chrome opens it, and Elba can then point at any folder you have file-system access to.

#### Managed Chromebooks
On managed devices, admin policy may restrict the File System Access API. Ask your admin, or test on a personal profile first.

#### FAQ
- **Does it work offline on a Chromebook?** — Yes. Turn off wifi and Elba still runs.
- **Is Google looking at my files?** — No — Elba does the crypto in the browser locally; nothing is sent to Google or anyone else.

---

### How to encrypt files on a Mac without installing anything
*Keyword: “encrypt files on mac without installing”.*
URL: https://elba.works/guides/encrypt-files-on-mac-without-installing

You can encrypt files on macOS without installing anything by using a Chromium-family browser (Chrome, Arc, Brave, Edge) and a single HTML file. Elba is that file.

#### Setup
Drop Elba.html into ~/Documents or your working folder. Open it in Chrome / Arc / Brave / Edge (Safari doesn't yet support the required API). Point Elba at the folder you want sealed.

#### About FileVault
FileVault protects the whole disk while the Mac is off; Elba protects a specific folder while you're logged in. Using both is normal.

#### FAQ
- **Do I need admin rights?** — No. Elba runs from any folder your user can read.
- **Does Safari work?** — Not yet — Elba requires the File System Access API, which Safari has not yet implemented.

---

### How to encrypt files on Windows without admin rights
*Keyword: “encrypt files on windows without admin”.*
URL: https://elba.works/guides/encrypt-files-on-windows-without-admin

On a locked-down Windows machine you often can't install anything. You can still encrypt a folder: open a single HTML file in Edge, Chrome, or Brave, and let it do the work.

#### Setup
Copy Elba.html to Documents (or a USB stick). Double-click and let Edge open it. Point Elba at the folder you want sealed. Enter a password. Close the tab.

#### About BitLocker
BitLocker protects the disk when the machine is off. Elba protects a specific folder while you're logged in. They layer cleanly.

#### FAQ
- **Will corporate policy block it?** — Elba writes no registry keys and installs nothing. Some managed browsers restrict File System Access — test first.
- **Any files left behind?** — None outside the sealed folder itself. Delete the HTML and there's nothing to clean up.

---

### How to encrypt files in Dropbox, iCloud, or Google Drive safely
*Keyword: “encrypt files in cloud storage”.*
URL: https://elba.works/guides/encrypt-files-in-cloud-storage-safely

The safest way to use cloud storage is to hand it something it cannot read. Encrypt the folder locally with Elba, then let Dropbox, iCloud, or Google Drive sync the sealed bytes.

#### The recipe
1. Put your working folder inside your cloud sync folder (e.g. ~/Dropbox/journal). 2. Point Elba at that folder and set a password. 3. Close Elba to reseal — the cloud syncs the sealed version. 4. Open Elba to unseal when you want to work.

#### What the cloud sees
Opaque bytes. Filenames and folder structure inside the sealed folder are hidden. The cloud can store your island; it can't set foot on it.

#### FAQ
- **Do I lose sync speed?** — The cloud syncs on close, which happens when Elba re-seals. Small folders are near-instant; big folders sync in the background.
- **Better than Cryptomator?** — Different — Cryptomator does per-file cloud-friendly encryption; Elba seals the folder as a unit.

---

### How to encrypt a folder with a password (properly)
*Keyword: “encrypt a folder with a password”.*
URL: https://elba.works/guides/encrypt-a-folder-with-a-password

Encrypting a folder with a password sounds simple, and it should be. Elba does the simple version: pick a folder, set a password, close the tab. The folder is sealed with AES-256-GCM at rest.

#### What ‘properly’ means
The password is turned into a key using PBKDF2 with a per-folder salt. The folder is encrypted with AES-256-GCM. No plaintext copy is left behind. No key is stored on disk.

#### The password advice everyone hates
Twelve characters minimum, or four random words (‘correct-horse-battery-staple’). Write it down on paper. Put the paper somewhere physical. There is no reset link — that's the point.

#### FAQ
- **Can I change the password later?** — Yes, from inside Elba, re-seal with a new password.
- **Can I remove the password?** — You can unseal the folder and leave it unsealed. Elba does not force you to re-encrypt.

---

### What happens if you forget your encryption password?
*Keyword: “forget encryption password”.*
URL: https://elba.works/guides/what-happens-if-you-forget-encryption-password

If you forget the password to an Elba-sealed folder, the contents are unrecoverable. That is not a bug — it is the exact property that makes Elba trustworthy in the first place.

#### Why there's no ‘forgot password’ link
A reset link is a back door. If the maker can reset it, so can anyone who convinces the maker to. Elba has neither the link nor the capability.

#### How to make sure you never need one
Use a four-word passphrase you can remember. Write it on paper and put it somewhere physical. Optionally, put a copy with your will or in a safe deposit box. This is the digital equivalent of a spare house key.

#### FAQ
- **Can the maker recover my folder?** — No — the publisher has no access, no key escrow, no ability to help.
- **What about brute force?** — AES-256-GCM with PBKDF2 makes brute force impractical for a strong password. Use one.

---

### Zero-knowledge encryption, explained without jargon
*Keyword: “zero knowledge encryption”.*
URL: https://elba.works/guides/zero-knowledge-encryption-explained

Zero-knowledge encryption means the service holding your files can't read them, because it never sees the key. Elba is the extreme case: there is no service.

#### Ordinary zero-knowledge
Tools like Proton Drive or Tresorit hold your encrypted files but not the key. If they're compelled to hand something over, it's opaque bytes.

#### Elba's shape
Elba doesn't hold your files at all. There is nothing to hand over, because there is no ‘over there’. The maker has no server, no account, no record.

#### FAQ
- **Is zero-knowledge the same as end-to-end?** — Related. E2E is about two endpoints; zero-knowledge is about the service in the middle. Elba is both, minus the middle.

---

### Why encryption software should be open source, eventually
*Keyword: “open source encryption”.*
URL: https://elba.works/guides/why-encryption-should-be-open-source-eventually

The gold standard for encryption is source you can read. Elba's whole program is inside the HTML file today, and its license becomes MIT on 1 January 2030 — freed, not disabled.

#### Visible source now, free-and-open in 2030
Today, anyone can open Elba.html in a text editor and read the entire tool. In 2030, that source becomes MIT-licensed — anyone can fork, ship, and modify.

#### Why the delay
Because someone has to be paid to make the tool. A few years of one-time purchases fund careful maintenance; the mortalware date guarantees the tool outlives the company.

#### FAQ
- **Can I audit Elba today?** — Yes. Open the HTML file in a text editor. That's the whole program.
- **What if the makers vanish before 2030?** — The 2030 open-source date is written into the license itself; the source is already in your copy of the file.

---

### Mortalware: software with a written expiry on secrecy
*Keyword: “mortalware software concept”.*
URL: https://elba.works/guides/mortalware-software-concept

Mortalware is software that promises, in its licence, to become open source on a fixed date. It is the opposite of software that keeps you locked in forever — it is a tool that outlives the company that sold it.

#### The promise, in one line
Elba is mortalware. You buy it once, the price drops every year, and on 1 January 2030 the entire source becomes MIT-licensed. If we vanish, the tool still works, and the code becomes yours to fork.
Mortalware is a design choice, not a marketing angle. It changes what the company is allowed to do with your loyalty.

#### Why this beats ‘trust us’
Every proprietary tool asks you to trust the vendor's future goodwill. Mortalware writes that goodwill into the licence and gives it a date. You can plan around it.

#### FAQ
- **Is mortalware the same as open source?** — Not yet. Today Elba's source is visible inside the HTML file but not freely re-licensable. On 1 January 2030 it becomes MIT — free to fork, ship, and modify.
- **What if you go bankrupt before 2030?** — The 2030 open-source date is in the licence you already own. Your copy keeps working; the source is inside it.
- **Does the price really keep falling?** — Yes: €49 in 2026, €39 in 2027, €29 in 2028, €19 in 2029, free in 2030.

---

### Declining-price software: paying less the longer you wait
*Keyword: “declining price software model”.*
URL: https://elba.works/guides/declining-price-software-model

A declining-price software model publishes its future prices in advance and lowers them every year until the tool is free. It rewards early adopters with early access and rewards patient buyers with a lower price.

#### Why we chose it
A subscription charges you forever for a tool that mostly stays the same. A one-time price charges you once and asks you to trust that the tool will still be maintained. A declining price does both jobs at once: it funds today's work, and it names a date on which the tool becomes a public good.

#### How to think about ‘when to buy’
If you need the tool now, buy now — the price is the highest it will ever be. If you can wait a year, you pay less. If you can wait until 2030, you pay nothing. All three of those are legitimate answers.

#### FAQ
- **Won't everyone just wait?** — Some will. Most people who need to encrypt a folder need to encrypt it this week, not in 2030.
- **Does buying now include future updates?** — Yes — your single purchase includes every version up to and including the 2030 free release.
- **Is this a discount code?** — No. It's a published price ladder. There are no hidden coupons or sales.

---

### Elba's open-source transition: the roadmap to 2030
*Keyword: “open source encryption transition 2030”.*
URL: https://elba.works/guides/open-source-transition-roadmap-2030

Elba's source has been visible from day one, but its licence is proprietary until 1 January 2030 — at which point it becomes MIT. This page is the plain-language roadmap for that transition.

#### Before 2030
The source is inside the HTML file. You can read it, audit it, and run it forever. You may not re-license or redistribute it. Updates ship on a slow, careful cadence.

#### After 2030
The source is MIT-licensed. Anyone can fork, ship, and modify. The domain and the ‘Elba’ name stay with the makers; the code belongs to everyone.

#### FAQ
- **Will you keep maintaining it after 2030?** — That's the plan, funded by voluntary contributions and any final year of sales. But the point of mortalware is that maintenance no longer depends on us.
- **Do earlier buyers get anything special?** — Yes — every past buyer keeps their paid copy and receives all updates up to and beyond 2030.

---

### Verifiable privacy: why you should be able to read the code
*Keyword: “verifiable privacy tools”.*
URL: https://elba.works/guides/why-privacy-tools-should-be-verifiable

A privacy tool that asks for trust is asking for the wrong thing. A verifiable privacy tool lets you check what it does — either by reading the source or by watching the network. Elba is designed to be verified, not trusted.

#### Two things anyone can check
The source: open Elba.html in a text editor. Every function is there.
The network: open the browser's DevTools while you use it. The Network tab stays empty.

#### Why this matters more than a security certificate
Certificates say ‘someone checked this once’. Verifiability says ‘you can check it any time’. The second promise is the one that survives corporate turnover.

#### FAQ
- **Do I need to be a developer to verify Elba?** — No. The network check takes ten seconds in any browser. Reading the source helps if you want to go further.
- **What if the source is obfuscated?** — It isn't. Elba ships as readable JavaScript inside the HTML.

---

### Why one-file software is the quiet revolution
*Keyword: “single file software”.*
URL: https://elba.works/guides/why-single-file-software-matters

Single-file software is a program that fits in one file with no installer, no update service, and no external dependencies. You copy it, you keep it, you run it in five years. Elba is single-file on purpose.

#### What one file gives you
Portability: it works on any machine with a Chromium browser.
Longevity: nothing to install means nothing to break when the OS updates.
Sovereignty: you own the copy, not a licence key to a service.

#### What it costs
Some features are off the table — background sync, cross-device push, live collaboration. Elba is comfortable with that trade because those features would require a server, and a server would defeat the purpose.

#### FAQ
- **How big is the file?** — Roughly the size of a small photograph. It fits on any USB stick.
- **Can I email it to myself?** — Yes — it's a plain HTML file. Email, cloud drive, USB, all fine.

---

### What is client-side encryption, in plain language
*Keyword: “what is client side encryption”.*
URL: https://elba.works/guides/what-is-client-side-encryption

Client-side encryption means the encryption happens on your device, using a key you hold, before the file goes anywhere. A cloud storing your data sees only sealed bytes; a server operator cannot read your files even if they wanted to.

#### Client-side vs server-side
Server-side encryption means the server holds your key and unlocks the files for you. Convenient, but the operator (and anyone who compels them) can read what's stored.
Client-side encryption keeps the key on your machine. The server holds a locked box it cannot open.

#### How Elba does client-side encryption
Elba runs entirely inside a browser tab. Your password derives a key with PBKDF2; that key seals your folder with AES-256-GCM. The key never touches disk unencrypted and never leaves the tab.

#### FAQ
- **Is client-side encryption the same as end-to-end?** — Client-side is the ingredient; end-to-end is the recipe. Elba is client-side by construction; there is no ‘other end’ because there is no server.
- **What if I lose my password?** — There is no recovery. That's the price of a key nobody else holds.

---

### Zero-network encryption: a tool that never phones home
*Keyword: “zero network encryption tool”.*
URL: https://elba.works/guides/what-is-zero-network-encryption

Zero-network encryption tools do their work without contacting any server, ever. No telemetry, no licence check, no update ping. Elba is one of them, and you can verify the claim in ten seconds with your browser's DevTools.

#### Why ‘just one ping’ is not fine
A single outbound request leaks that you are using the tool, from what IP, and when. Over months, that metadata is a diary. Zero-network is the only setting that avoids writing that diary.

#### How to verify
Open Elba.html in Chrome. Press F12, click Network, then use the tool. If the list stays empty, the promise is true for that session.

#### FAQ
- **Doesn't the browser check the URL?** — The browser loads the local file from disk. No URL to check, no request to make.
- **How do I get updates then?** — You visit the site when you want to. Elba does not check for updates on its own.

---

### Encryption at rest vs in transit: which one Elba is
*Keyword: “encryption at rest vs in transit”.*
URL: https://elba.works/guides/difference-encryption-at-rest-vs-in-transit

Encryption in transit protects data while it moves between two machines (HTTPS is the classic example). Encryption at rest protects data while it sits on disk. Elba does the second job, for one folder, with no assumption that the folder ever moves.

#### When to want which
Sending a file to a colleague? You want encryption in transit (and ideally end-to-end).
Keeping a folder on your laptop that must never be legible to a thief, an ex-employer, or a customs officer? You want encryption at rest.

#### Why Elba stays out of the ‘in transit’ business
Adding transit features means adding a server, and adding a server undoes the ‘never phones home’ promise. Elba stays small so it can stay honest.

#### FAQ
- **Can I still send an Elba-sealed folder?** — Yes — the sealed bytes are safe to email or sync. The recipient needs Elba and the password to open it.
- **Is HTTPS enough on its own?** — For moving a file, often. For a folder that sits on disk for years, no.

---

### PBKDF2, in one page: why passwords need slowing down
*Keyword: “pbkdf2 password based encryption”.*
URL: https://elba.works/guides/how-pbkdf2-password-hashing-works

PBKDF2 (Password-Based Key Derivation Function 2) turns a password into a cryptographic key by hashing it many thousands of times. The point is to make guessing expensive: a computer that could try a billion passwords a second against a raw hash tries only a few thousand against PBKDF2.

#### Why not just hash the password once?
A single hash is fast, and ‘fast’ is exactly what an attacker wants when guessing. PBKDF2 adds deliberate slowness — the same slowness for you, once per unlock; a devastating slowness for a guesser doing billions per second.

#### How Elba uses it
Elba derives a 256-bit AES-GCM key from your password using PBKDF2 with a per-vault salt and a high iteration count. Your password is never stored; only the sealed vault is.

#### FAQ
- **Is PBKDF2 still considered safe?** — Yes, when used with a large iteration count and a random salt. It is a FIPS-approved standard and the WebCrypto default for password-based keys.
- **Would Argon2 be better?** — Argon2 is stronger against custom hardware. PBKDF2 is used because it ships in WebCrypto everywhere — no external dependency needed.

---

### Why WebCrypto is the boring, correct place to encrypt files
*Keyword: “webcrypto api encryption trust”.*
URL: https://elba.works/guides/why-webcrypto-is-trustworthy

The safest cryptography is the one nobody has to write twice. WebCrypto is the standard, audited encryption library built into every modern browser — hardware-accelerated, side-channel-resistant, and reviewed by the people who ship the browsers themselves.

#### What Elba does not do
Elba does not include its own AES implementation. It does not include its own random-number generator. It does not include its own key-derivation code. Every one of those calls goes to the browser's SubtleCrypto API.

#### What we take responsibility for
We take responsibility for calling those primitives correctly, choosing a sane mode (AES-256-GCM), a sane derivation (PBKDF2 with per-vault salt), and never persisting the key. That code is inside the HTML file for you to read.

#### FAQ
- **Which browsers count?** — Chromium-family browsers (Chrome, Edge, Brave, Arc) and Firefox all ship a full WebCrypto. Elba targets Chromium for the file-system access it needs.
- **Is WebCrypto really as good as a native library?** — For AES-GCM it is a thin wrapper over the same primitives OpenSSL uses. It's the same crypto, in a smaller box.

---

### Encrypt tax documents locally — receipts, returns, and P&Ls
*Keyword: “encrypt tax documents”.*
URL: https://elba.works/guides/encrypt-tax-documents-locally

Tax documents are the paperwork you have to keep for years and never want to leak. Elba lets you seal a decade of receipts, returns, and P&Ls in a single folder that sits on your own disk, unreadable to anyone without the password.

#### A folder per tax year
Create one Elba vault per year. Drop in scans, statements, and the final return. The folder syncs safely to any cloud drive for backup — the bytes are already sealed.

#### When your accountant needs a file
Unlock the year you need, export the specific document, send it through your usual channel, and re-lock the folder. The rest of the archive never left its box.

#### FAQ
- **Is this compliant with tax record-keeping rules?** — Elba stores the files; retention policies (7 years in most jurisdictions) still apply to you. Encryption doesn't change what you must keep.
- **Can I share one document without unlocking everything?** — Yes — export the one file you need, then close the vault.

---

### Encrypt medical records on your own computer
*Keyword: “encrypt medical records”.*
URL: https://elba.works/guides/encrypt-medical-records-locally

Your medical history is the most sensitive paperwork you own, and portals age out. Elba lets you keep a personal archive of scans, letters, and test results in a sealed folder on your own machine, portable across doctors and years.

#### What to keep in it
Referral letters, imaging discs, blood-panel PDFs, vaccination records, and the running list of medications. A folder per family member scales quietly.

#### Handing it to a new clinician
Unlock the vault, export the specific document requested, and re-lock. The clinician sees what they need; the rest stays in the box.

#### FAQ
- **Is this HIPAA-compliant?** — HIPAA governs covered entities, not you as a patient. But the same AES-256-GCM used by HIPAA-eligible services also secures your personal Elba vault.
- **Can I keep DICOM imaging?** — Yes — any file type. Large imaging folders take longer to seal but the process is the same.

---

### Encrypt legal case files without a document management system
*Keyword: “encrypt legal case files”.*
URL: https://elba.works/guides/encrypt-legal-case-files

You don't need a document management system to run privileged material safely. A per-case Elba vault gives you a sealed folder per matter — locked at rest, portable to any machine, and free of any third party in the middle.

#### One vault per matter
Name the vault by matter number. Drop in pleadings, discovery, correspondence, and client notes. Back up the sealed bytes to your usual cloud drive — the drive stores an opaque box.

#### Why this matters for privilege
Client-side encryption keeps you in the ‘direct custodian’ position. No vendor holds a key to your client's file; no vendor can be compelled to hand it over.

#### FAQ
- **Can two lawyers share the same vault?** — Yes — copy the sealed folder to a shared drive and share the password out of band. Elba does not manage multi-user access.
- **What about e-discovery?** — You can produce specific files by exporting them from the unlocked vault. Elba doesn't index for you.

---

### Encrypt manuscript drafts before a publisher sees them
*Keyword: “encrypt manuscript drafts”.*
URL: https://elba.works/guides/encrypt-manuscript-drafts

A working manuscript is fragile in a way finished books aren't. Elba gives you a sealed folder for drafts, notes, and research that stays on your machine — safe from a stolen laptop or a curious houseguest.

#### A workspace with a lock on it
One vault per book. Chapters, outlines, character sheets, and the messy research pile all go in. Unlock at the writing desk; re-lock when you close the laptop.

#### Sending pages to an agent or editor
Export the chapter you're sharing, send it, and re-lock the vault. The unfinished parts never leave the island.

#### FAQ
- **Does Elba work with Word and Scrivener files?** — Yes — any file type. Scrivener projects are folders; drop the whole thing in.
- **Will version control work inside the vault?** — You'd need to unlock to run git. For most writers, dated file names inside the vault are enough.

---

### Encrypt family photos without handing them to a cloud
*Keyword: “encrypt family photos”.*
URL: https://elba.works/guides/encrypt-family-photos-privately

The photo archive that matters most is often the one you least want indexed. Elba lets you keep family photos in a sealed folder on your own drive — safe to back up to any cloud, because what the cloud sees is only a locked box.

#### One vault, or one per year
For a lifetime archive, a vault per year keeps unlock times short. For a working ‘favourites’ folder, a single vault is fine.

#### Sharing without unsealing everything
When someone wants a specific photo, unlock the vault, export it, and re-lock. The album is not on Facebook, but the one photo grandma asked for is on its way.

#### FAQ
- **Are large libraries fast enough?** — Sealing several gigabytes takes minutes, not seconds. Once sealed, opening and reading files is fast.
- **Can I still browse thumbnails?** — Only while the vault is unlocked. When sealed, the folder looks like ordinary encrypted bytes.

---

### Encrypt a password list without a password manager
*Keyword: “encrypt a password list file”.*
URL: https://elba.works/guides/encrypt-passwords-list-file

A plain-text file of passwords is not a joke — many people keep one. Elba lets you keep it exactly the way you like, sealed in a folder that a lost laptop cannot betray.

#### Why some people prefer a file to a manager
A file is portable, editable, and doesn't require trusting any vendor's syncing. Sealed with Elba, it also stops being a liability.

#### A safer daily habit
Keep the file inside an Elba vault. Unlock when you need it, copy the one credential you want, and re-lock. Screen viewers see only the vault door.

#### FAQ
- **Is this as safe as a proper password manager?** — A dedicated manager gives you browser autofill and breach alerts. Elba gives you a sealed folder — safer than a bare file, simpler than a manager.
- **Can I keep 2FA backup codes here too?** — Yes. That's exactly the kind of ‘don't want to lose, don't want to leak’ file Elba is for.

---

### Keep a diary on a shared computer — sealed with a password
*Keyword: “encrypt diary shared computer”.*
URL: https://elba.works/guides/encrypt-diary-on-shared-computer

A shared computer is a house with thin walls. Elba lets you keep a private journal in a sealed folder that other users of the same machine cannot open, even if they poke around.

#### Why a folder name is not privacy
Anyone with access to the drive can rename ‘Private’ to something else. A sealed folder resists inspection because there is nothing to inspect but encrypted bytes.

#### A daily routine
Open Elba, unlock the vault, write, save, and re-lock before you walk away. The journal returns to being a box only you can open.

#### FAQ
- **What if someone deletes the vault?** — Encryption doesn't protect against deletion. Keep a copy on a USB stick or a cloud drive.
- **Can they see what I write while I write it?** — Only if they are watching your screen. Elba can't help with shoulders.

---

### Encrypt files before emailing — a folder your recipient can open
*Keyword: “encrypt files before emailing”.*
URL: https://elba.works/guides/encrypt-files-before-emailing

Email is a postcard. If you need to send something sensitive, seal it first. Elba lets you encrypt a folder locally, attach the sealed file, and share the password through a different channel — your mail server sees a locked box.

#### The workflow
Put the files in an Elba vault, seal, and export the sealed bytes as an attachment. Send the password over Signal, SMS, or a phone call — not the same email.

#### What the recipient needs
Their own copy of Elba (or a gifted one) and the password. Nothing else — no account, no plugin, no invitation.

#### FAQ
- **Isn't this what PGP does?** — PGP does the same job with a steeper learning curve. Elba trades key-exchange for a shared password, which most people can actually use.
- **How big can the attachment be?** — Limited by your mail provider — usually 25MB. Larger sealed folders go via a cloud link.

---

### Encrypt source-code secrets without a hosted vault
*Keyword: “encrypt source code secrets”.*
URL: https://elba.works/guides/encrypt-source-code-secrets

A hosted secrets vault is overkill for a solo developer with three side projects. Elba lets you keep every .env file, API key, and deploy note in a single sealed folder on your own machine.

#### A folder per project, or one for all
Small teams often prefer one vault per project so a shared password is scoped. Solo devs get away with one vault and a well-organised tree.

#### Sharing with a collaborator
Copy the sealed folder to a shared drive and hand over the password out of band. No account creation, no seat pricing.

#### FAQ
- **Can CI pull secrets from an Elba vault?** — No — CI needs a machine-readable secret store. Elba is for the human-facing side (local dev, deploy notes, private keys you rotate rarely).
- **Is this as safe as HashiCorp Vault?** — For one person, yes. For a team with rotation and audit needs, you want a real vault.

---

### Encrypt a crypto wallet seed phrase — a digital, sealed backup
*Keyword: “encrypt crypto wallet seed phrase”.*
URL: https://elba.works/guides/encrypt-crypto-wallet-seed-phrase

The safest backup of a crypto seed phrase is a metal plate in a safe. The second-safest is a sealed file on a machine that does not phone home. Elba gives you the second option, at rest, with AES-256-GCM.

#### When digital makes sense
As a redundant backup to the metal, or for smaller ‘hot’ wallets, a sealed Elba vault beats a text file, a screenshot, or a note in a password manager whose vendor could be breached.

#### A safer routine
Write the seed inside the vault. Seal it. Copy the sealed file to two USB sticks kept in different physical locations. Never type the seed on a networked machine again.

#### FAQ
- **Is this better than the wallet's own backup?** — It's a different kind of backup — offline, portable, and outside the wallet vendor's ecosystem.
- **What if I forget the Elba password too?** — Then the digital backup is dead. That's why the physical backup exists.

---

### Encrypt notes: a quiet vault for people speaking up
*Keyword: “encrypt notes whistleblower”.*
URL: https://elba.works/guides/encrypt-notes-for-whistleblowers

Speaking up is dangerous. The paperwork of speaking up — timelines, screenshots, contact lists — is a target. Elba is a sealed local folder that never contacts a server, so there is nothing about your work to subpoena from a vendor.

#### Threats Elba does address
A stolen laptop. A compromised cloud account. A curious IT department. In each case the sealed folder is opaque.

#### Threats it does not
State-level malware on your device, keyloggers, or someone standing behind you. Consider Tails or a dedicated air-gapped machine for the highest-risk work.

#### FAQ
- **Do I have to trust the vendor?** — The vendor (us) never sees your files or your key. The source is inside the HTML file for you to read.
- **Can I destroy the vault quickly?** — Yes — delete the folder. Without the password, the bytes are meaningless.

---

### Encrypt files in hostile environments — travel, borders, hotels
*Keyword: “encrypt files hostile environment”.*
URL: https://elba.works/guides/encrypt-files-in-hostile-environments

In hostile environments, ‘installed encryption software’ can itself be a red flag. Elba is a single HTML file with no installer — it can live on a USB stick, be run and closed, and leave nothing but a sealed folder behind.

#### Travel patterns that work
Keep the sealed folder in cloud storage. Carry a clean laptop through the border. On arrival, download Elba and the sealed folder, work, re-lock, and delete the local copies before returning.

#### What Elba cannot do
It cannot hide that you have encrypted data — the sealed bytes look encrypted. Under duress, the only true protection is not carrying the key or the data.

#### FAQ
- **Is this safer than a hidden container?** — Different trade-off. Hidden containers offer plausible deniability but need more setup and discipline.
- **Should I use Tor?** — For network work, yes. Elba doesn't touch the network at all, so it doesn't need Tor to be safe on disk.

---

### Encrypt interview recordings — for journalists and researchers
*Keyword: “encrypt interview recordings”.*
URL: https://elba.works/guides/encrypt-interview-recordings

Interview recordings are the rawest form of a source's trust. Elba lets you keep audio, transcripts, and consent forms in a sealed vault per project — safe to back up to any cloud, unreadable without your password.

#### One vault per story or study
Bundle audio, timestamps, transcript, and consent paperwork together. When the piece publishes, archive the whole sealed vault; when a source withdraws, delete cleanly.

#### Working with a transcription service
Export the one audio file you need transcribed, send it, and re-lock. The rest of the story stays in the vault.

#### FAQ
- **Can I keep hours of audio in one vault?** — Yes. Large vaults take longer to seal, but sizes into the tens of gigabytes are fine.
- **Does Elba do the transcription?** — No. Use your usual tool; Elba just keeps the source material safe.

---

### Encrypt financial spreadsheets — bookkeeping without a portal
*Keyword: “encrypt financial spreadsheets”.*
URL: https://elba.works/guides/encrypt-financial-spreadsheets

Small-business finances live in a few spreadsheets and a mess of PDFs. Elba lets you keep the lot in a sealed folder on your own machine — no accountant portal, no cloud spreadsheet, no monthly seat fee.

#### A vault per fiscal year
Ledgers, invoices, receipts, payroll, and VAT paperwork sealed together. Cloud backup of the sealed folder is safe.

#### Working with an accountant
Unlock, export the specific reports needed, re-lock. The accountant sees the numbers; the rest of the archive stays in the box.

#### FAQ
- **Does Elba open .xlsx files?** — Elba encrypts and decrypts files; you open them in your normal spreadsheet app once the vault is unlocked.
- **What about live-shared sheets?** — For live collaboration you still want Google Sheets or similar. Elba is for the archived, private copy.

---

### Encrypt genealogy research — family archives, sealed
*Keyword: “encrypt genealogy research”.*
URL: https://elba.works/guides/encrypt-genealogy-research

Genealogy files are the sort of archive you inherit and pass on — decades of certificates, letters, and scans. Elba lets you keep the lot in a sealed folder on your own machine, safe to back up to any cloud drive.

#### One vault, many decades
Birth, marriage, and death certificates; letters; scans of old photographs; DNA test PDFs. All sealed together, browsable while unlocked, opaque at rest.

#### Sharing with cousins
Copy the sealed vault to a family cloud drive. Share the password with the relatives you trust. No genealogy site sees the archive.

#### FAQ
- **Can I keep DNA raw data files here?** — Yes — that's exactly the kind of file you don't want indexed by an advertising graph.
- **Is a lifetime vault sensible?** — For most families, yes. If it grows past tens of gigabytes, split by decade.

---

### Encryption for nurses — private notes, on your own device
*Keyword: “encryption for nurses”.*
URL: https://elba.works/guides/encryption-for-nurses

Nurses accumulate paperwork that is technically ‘personal’ but clinically sensitive: study notes, handover summaries, incident reflections. Elba lets you keep it all in a sealed folder on your own machine.

#### What belongs in your Elba vault
CPD portfolio drafts, exam prep, personal reflections on shifts, and any note you'd hate a curious housemate to read. Not patient PHI — that stays in the hospital system.

#### Why not just a folder with a password on the ZIP?
Zip passwords are legacy-weak. Elba uses AES-256-GCM with PBKDF2 — the same primitives banking software uses at rest.

#### FAQ
- **Can I put patient records in here?** — No — patient records must stay in the hospital's approved systems. Elba is for your personal, professional life.
- **Will my hospital IT block it?** — Elba is one HTML file. It runs in the browser without installation on almost any policy-locked machine.

---

### Encryption for social workers — case notes off the clipboard
*Keyword: “encryption for social workers”.*
URL: https://elba.works/guides/encryption-for-social-workers

Social workers carry sensitive detail in the seams between systems — home-visit notes, supervision reflections, drafts you haven't yet uploaded. Elba is a sealed folder for that middle space.

#### The private working copy
Rough notes, plans, and personal reflections live in an Elba vault on your machine. Finalised case records go into your agency's system, as policy requires.

#### On a personal device
If you draft anything about work on a personal laptop, the sealed vault is the minimum discipline. It stops a stolen device becoming a data breach.

#### FAQ
- **Is this compliant with local safeguarding rules?** — Encryption at rest with AES-256-GCM meets or exceeds most safeguarding standards. Retention and disposal rules still apply.
- **Can two workers share a vault for joint cases?** — Yes — share the sealed folder and the password out of band. Elba does not manage users.

---

### Encryption for clergy — pastoral notes kept privately
*Keyword: “encryption for clergy pastoral notes”.*
URL: https://elba.works/guides/encryption-for-clergy-confession-notes

Pastoral notes are among the most trusted paperwork a person keeps. Elba lets clergy keep them in a sealed folder on their own machine — no diocesan cloud, no third party.

#### Discipline of the sealed folder
One vault, unlocked in a quiet study, closed before the next visitor. The bytes on disk are opaque to anyone without the password.

#### Backup without breach
Copy the sealed vault to a personal USB stick or an encrypted external drive. The backup carries the seal.

#### FAQ
- **Is this appropriate for confession notes?** — That's a canonical question, not a technical one. Where such notes exist and are permitted, Elba is a stronger vault than a locked drawer.
- **What about after I die?** — Consider a written procedure: a trusted colleague with a sealed envelope containing the password, opened only by policy.

---

### Encryption for private investigators — case files sealed
*Keyword: “encryption for private investigators”.*
URL: https://elba.works/guides/encryption-for-private-investigators

Private investigators run a document-heavy practice on someone else's payroll. Elba gives you a per-case sealed vault that travels with you and reveals nothing at rest.

#### A vault per client, per case
Photos, timelines, witness statements, and receipts all in one sealed folder. Copy to a client-facing drive when the case closes; keep or destroy per contract.

#### Chain of custody
Elba does not sign or notarise files. For chain-of-custody work, keep the original hashes in a separate log; the vault protects the contents at rest.

#### FAQ
- **Can I hand a vault to a client?** — Yes — the sealed bytes plus the password give them the whole case.
- **What about court-admissible evidence?** — Encryption doesn't change admissibility. Follow your jurisdiction's evidence-handling rules.

---

### Encryption for human-rights workers — a quiet, verifiable tool
*Keyword: “encryption for human rights workers”.*
URL: https://elba.works/guides/encryption-for-human-rights-workers

Human-rights work is the classic threat model: sensitive documents, unreliable networks, and adversaries with resources. Elba is a single HTML file that seals a folder locally, verifiable in source, and never touches a network.

#### What it protects
Interview notes, victim testimonies, and case dossiers at rest on a laptop or USB stick. A lost or seized device reveals only sealed bytes.

#### What it doesn't
Network traffic, device-level malware, or someone forcing you to unlock. Combine Elba with Tor, Tails, or dedicated hardware where the threat requires it.

#### FAQ
- **Can it be audited by a security team?** — Yes — the entire program is inside the HTML file. Read it, run it in an isolated tab, watch the Network panel.
- **Does the vendor keep a backdoor?** — There is nothing to backdoor — no server, no account, no key on our side.

---

### Encryption for independent auditors — engagements sealed per client
*Keyword: “encryption for auditors”.*
URL: https://elba.works/guides/encryption-for-independent-auditors

Independent auditors handle other people's numbers under strict confidentiality. Elba lets you keep each engagement in its own sealed vault — no firm-wide SaaS, no vendor between you and the client's file.

#### A vault per engagement
Working papers, evidence PDFs, and management-letter drafts all in one place. When the engagement closes, archive the sealed vault to long-term storage.

#### Retention discipline
Encryption doesn't change your retention rules. Elba only makes sure the archive stays unreadable to anyone without the password for the years it must be kept.

#### FAQ
- **Is a sealed vault acceptable to my professional body?** — Most professional bodies require AES-256 at rest for client files. Elba meets that bar.
- **Can I share a vault with a client for review?** — Yes — hand over the sealed folder and the password out of band.

---

### Encryption for translators — NDAs and confidential source texts
*Keyword: “encryption for translators nda”.*
URL: https://elba.works/guides/encryption-for-translators-nda-work

Freelance translators sign NDAs for a living. Elba is the simplest way to meet the ‘encryption at rest’ clause most of those contracts contain — a sealed per-client vault on your own machine.

#### A vault per client
Source texts, translation memories, glossaries, and drafts all sealed together. Delivery goes through the client's usual channel; the working copy stays in the vault.

#### After delivery
Keep the sealed vault for the contractual retention period, then delete. AES-256-GCM without the password is effectively noise.

#### FAQ
- **Does this satisfy ISO 17100 / typical NDA clauses?** — For the encryption-at-rest requirement, yes. Access control, secure delivery, and disposal are your operational responsibility.
- **Can CAT tools work inside the vault?** — You unlock the vault, run the CAT tool as normal, and re-lock when done.

---

### Encryption for executive assistants — the private drawer, digital
*Keyword: “encryption for executive assistants”.*
URL: https://elba.works/guides/encryption-for-executive-assistants

Executive assistants carry a lot of small, sensitive detail — travel plans, personal correspondence, board paperwork. Elba is a sealed drawer for the digital half of that job.

#### What goes in the vault
Personal documents for your principal, travel itineraries, home addresses, and any file you'd never leave on the desk. Not company financials — those belong in the corporate system.

#### Working across two computers
Copy the sealed vault between machines on a USB stick or a personal cloud drive. The bytes are opaque; the password never crosses the wire.

#### FAQ
- **Is this the right tool for board packs?** — For your personal working copy, yes. Official distribution should still go through the company's board portal.
- **What if I leave the role?** — Hand over the sealed vault and password by policy, then delete your local copy.

---

### Encrypt files on Linux without root or LUKS
*Keyword: “encrypt files on linux no root”.*
URL: https://elba.works/guides/encrypt-files-on-linux-without-root

You don't need root or LUKS to encrypt a folder on Linux. Elba runs in Chromium or Chrome as a normal user and seals a folder with AES-256-GCM — no admin, no full-disk migration.

#### When per-folder beats full-disk
Full-disk encryption protects a machine at rest but exposes everything the moment you log in. A per-folder Elba vault stays sealed even while you're using the computer.

#### What you need
A Chromium-family browser (Chromium, Chrome, Brave, Edge, Vivaldi). Firefox is usable for many features but Elba targets Chromium's File System Access API.

#### FAQ
- **Does this replace LUKS?** — No — LUKS protects the whole disk offline. Elba complements it for folders that must also be sealed while the machine is running.
- **Works on Wayland?** — Yes — Elba is a browser tab; it uses whatever your browser uses.

---

### Encrypt files on iPad in the browser — with a caveat
*Keyword: “encrypt files on ipad browser”.*
URL: https://elba.works/guides/encrypt-files-on-ipad-browser

iPad browsers are all WebKit under the hood, so the File System Access API Elba prefers is not available. Elba still runs, but the ‘folder’ workflow is best kept to a Mac or Windows machine and the iPad used for reading.

#### What works on iPad today
Opening Elba, entering a password, and unsealing individual files copied into the Files app. Good for reading; awkward for editing whole folders.

#### The practical setup
Do the folder work on your laptop; sync the sealed vault to iCloud; open individual files on the iPad through Elba when you need them.

#### FAQ
- **Will this improve when Apple ships real Chromium?** — Yes — the EU DMA rules mean real Chromium is arriving on iOS, and Elba will benefit directly.
- **Is Safari usable at all?** — For unsealing single files, yes. For folder work, wait for Chromium on iOS.

---

### Encrypt files on a library or hotel computer — carefully
*Keyword: “encrypt files public computer”.*
URL: https://elba.works/guides/encrypt-files-on-library-public-computer

A library or hotel computer is not your machine. Encryption alone cannot protect you from keyloggers or screen recorders on hardware you don't control. Elba is useful in narrow cases; the wider advice is to avoid touching sensitive data on shared computers at all.

#### Safer patterns
Read a sealed vault (from your USB stick) on the public machine, but do not type your password if you suspect a keylogger. If the machine allows a fresh browser session and reboot, that helps a little; it is not a real defence.

#### What to avoid
Editing sensitive work, entering banking credentials, or opening long-term vault passwords on any shared machine. Wait until you are on your own device.

#### FAQ
- **Should I use my main password?** — No. If the machine is compromised, a captured password compromises every vault it opens.
- **Is a portable browser safer?** — A little, but not enough. Assume the hardware is not yours.

---

### Encrypt personal files on a work laptop — sensibly
*Keyword: “encrypt files on work laptop personal”.*
URL: https://elba.works/guides/encrypt-files-on-work-laptop

Personal files on a work laptop are a grey area. Elba can seal a small folder locally in a browser tab — no installer, no admin — but the honest first step is to check your employer's acceptable-use policy.

#### When it's fine
Personal notes, side-project drafts, or a personal password list you keep on the machine you use every day. The vault stops a colleague or IT sweep from casually reading them.

#### When it isn't
Company data that must live in company systems. Employer-owned devices in regulated industries where personal files are prohibited. When in doubt, use a personal machine for personal things.

#### FAQ
- **Can IT still see the sealed folder?** — They can see it exists as encrypted bytes. They cannot read its contents.
- **What about MDM tools?** — MDM can see file names and sizes; some can screen-record. Encryption at rest doesn't defeat live surveillance.

---

### Encrypt files on an air-gapped machine — Elba fits well
*Keyword: “encrypt files airgapped machine”.*
URL: https://elba.works/guides/encrypt-files-offline-airgapped-machine

An air-gapped machine has no network by design. Elba runs entirely offline in a browser tab, which makes it a natural fit — you don't have to trust that it stayed offline; the tool cannot go online in the first place.

#### A workflow that keeps the gap
Transfer Elba.html to the air-gapped machine on a USB stick. Open it in a local Chromium install. Seal or unseal folders as needed. Move the sealed bytes back out on the same stick.

#### Why this is stronger than desktop tools
Desktop tools can, in principle, be updated silently the next time the machine comes online. An HTML file sitting in a folder does not update itself.

#### FAQ
- **Does Elba ever try to contact a server?** — No — you can verify this in DevTools before you disconnect the machine.
- **Is Chromium safe on an air-gapped machine?** — Yes, if it too was installed offline from a verified source. That's a wider hygiene question, not an Elba one.

---

### Run encryption from a USB stick with no install
*Keyword: “portable usb encryption no install”.*
URL: https://elba.works/guides/run-encryption-from-usb-no-install

You can run Elba entirely from a USB stick with no installation on the host machine. Copy Elba.html and (optionally) a portable Chromium to the stick, plug it in, open, and seal a folder.

#### What to put on the stick
Elba.html itself; the sealed vault or vaults; optionally a portable Chromium build if you don't trust the host's browser.

#### When you unplug
Nothing remains installed. The browser tab is gone; the sealed vault leaves with you. Anything you exported into the host's file system, of course, does not.

#### FAQ
- **Do I need admin rights on the host?** — Not to run Elba from the stick. Portable Chromium may require permission depending on OS policy.
- **Is a USB stick safe long-term?** — USB flash decays over years. Keep a second copy on a different stick or in a sealed cloud backup.

---

### Elba vs NordLocker — local one-file tool vs subscription cloud
*Keyword: “elba vs nordlocker”.*
URL: https://elba.works/guides/elba-vs-nordlocker

NordLocker is a subscription end-to-end encrypted cloud drive. Elba is a one-time purchase HTML file that seals a folder on your own machine. They solve different problems.

#### Pick NordLocker if
You want built-in cloud sync, cross-device apps, and are comfortable paying monthly for a vendor to hold your encrypted bytes.

#### Pick Elba if
You want a one-time price, no account, and a tool that never contacts a server. Cloud backup is fine — just point your existing cloud at the sealed folder.

#### FAQ
- **Are both AES-256?** — Yes. The difference is the surrounding architecture, not the primitive.
- **Can I move from NordLocker to Elba?** — Yes — decrypt in NordLocker, drop the plaintext into an Elba vault, seal, and delete originals.

---

### Elba vs AxCrypt — one HTML file vs a Windows-first installer
*Keyword: “elba vs axcrypt”.*
URL: https://elba.works/guides/elba-vs-axcrypt

AxCrypt is a mature Windows-first encryption app with a limited free tier and premium plans. Elba is a single HTML file, no installer, one-time purchase, and equally usable on Mac, Linux, and Chromebook.

#### Where AxCrypt wins
OS integration (right-click ‘encrypt’), a free entry tier, and cloud-storage awareness on Windows.

#### Where Elba wins
Portability across every OS, no installer, no account, no annual fee, and a licence that becomes MIT in 2030.

#### FAQ
- **Is AxCrypt's free tier enough?** — For occasional single-file encryption, sometimes. For folders and stronger key derivation, you're on their premium.
- **Can I read AxCrypt files with Elba?** — No — file formats differ. Decrypt in AxCrypt, then reseal with Elba.

---

### Elba vs Sync.com — private cloud vs private folder
*Keyword: “elba vs sync.com”.*
URL: https://elba.works/guides/elba-vs-sync-com

Sync.com is a zero-knowledge cloud drive with strong end-to-end encryption. Elba is a local sealed folder with no cloud at all. They're compatible — many people use both.

#### When you want Sync.com
Multi-device sync, sharing links, and a genuine cloud drive whose operator cannot read your files.

#### When you want Elba
You'd rather not upload at all. Sealed folder on disk; if you like, use Sync.com to back up the sealed bytes.

#### FAQ
- **Is one more secure?** — Different threat models. Elba has no server to breach; Sync.com has one that stores only sealed bytes.
- **Can I combine them?** — Yes — put the Elba vault inside your Sync.com folder. Belt and braces.

---

### Elba vs MEGA — encrypted cloud drive vs local sealed folder
*Keyword: “elba vs mega”.*
URL: https://elba.works/guides/elba-vs-mega

MEGA is a large encrypted cloud drive with generous free storage. Elba is a one-file local vault. They serve different jobs and often live side by side.

#### Pick MEGA if
You want tens of gigabytes of encrypted cloud storage with sync clients on multiple devices.

#### Pick Elba if
You want the folder never to leave your machine. Use MEGA to back up the sealed bytes if you like.

#### FAQ
- **Is MEGA's encryption end-to-end?** — Yes for storage. But the client is delivered from their servers each session — a subtly different trust model than a local HTML file.
- **Can I keep the Elba vault in a MEGA folder?** — Yes. That's a common setup.

---

### Elba vs Standard Notes — encrypted notes app vs sealed folder
*Keyword: “elba vs standard notes”.*
URL: https://elba.works/guides/elba-vs-standard-notes

Standard Notes is a purpose-built end-to-end encrypted notes app. Elba is a general-purpose sealed folder for arbitrary files. Choose by what you're storing.

#### Pick Standard Notes if
You want a notes editor with tags, sync, and a long track record of encryption discipline.

#### Pick Elba if
Your ‘notes’ are actually a folder of PDFs, images, spreadsheets, and text, and you want them sealed together on your own machine.

#### FAQ
- **Can Elba hold Markdown notes?** — Yes — any file. Write in your favourite editor, save into the vault, re-seal.
- **Which has better sync?** — Standard Notes, by design. Elba doesn't sync — you do, using any drive you already trust.

---

### Elba vs Obsidian's encrypted vault plugins
*Keyword: “elba vs obsidian encrypted vault”.*
URL: https://elba.works/guides/elba-vs-obsidian-encrypted-vault

Obsidian has plugins that encrypt individual notes inside a vault. Elba encrypts the whole vault folder — Obsidian's notes, attachments, and configuration — from the outside. The two approaches compose well.

#### Per-note vs per-vault
Per-note plugins protect specific notes but leak titles, tags, and attachments. Per-vault sealing hides everything until you unlock the folder and open Obsidian.

#### A workflow
Keep the Obsidian vault inside an Elba vault. Unlock, work in Obsidian, close Obsidian, re-seal the Elba vault before closing the laptop.

#### FAQ
- **Does Obsidian Sync still work?** — You'd need to leave the Obsidian vault unsealed for Sync to work in real time. Choose one or the other, or accept manual sync.
- **Does Elba corrupt Obsidian's index?** — No — Elba only writes when sealing. Obsidian reads its files as usual while unsealed.

---

### Elba vs KeePass attachments — password manager or sealed folder
*Keyword: “elba vs keepass attachments”.*
URL: https://elba.works/guides/elba-vs-keepass-attachments

KeePass supports attaching files to password entries, and some people use that as a poor-man's document safe. Elba is a proper sealed folder. Use the right tool for the right job.

#### Where KeePass wins
Passwords, TOTP seeds, and small text notes with search and browser autofill.

#### Where Elba wins
Anything larger or more folder-shaped: scans, letters, spreadsheets, drafts. Better search, faster reads, no bloated KDBX file.

#### FAQ
- **Can I replace KeePass with Elba?** — Not really — Elba has no password autofill. Keep KeePass for credentials, Elba for documents.
- **Is KeePass encryption weaker?** — It's strong. This is about ergonomics, not primitives.

---

### Elba vs EncFS — legacy per-file FUSE vs modern per-vault
*Keyword: “elba vs encfs”.*
URL: https://elba.works/guides/elba-vs-encfs

EncFS is a legacy per-file FUSE encryption layer with a public audit showing weaknesses when files are modified in place. Elba is a modern per-vault sealed folder built on WebCrypto's AES-256-GCM.

#### Why EncFS is a hard recommend today
The 2014 audit flagged issues that were never fully addressed. Modern alternatives (gocryptfs, Cryptomator, Elba) exist and are actively maintained.

#### Migrating away
Mount your EncFS volume, copy contents into an Elba vault, seal, and remove the EncFS layer.

#### FAQ
- **Is EncFS still safe for read-only archives?** — For static, read-only data the known issues are less exploitable, but replacing is still recommended.
- **Does Elba mount as a filesystem?** — No — it's a browser-based vault, not a FUSE layer. Simpler, less integrated.

---

### Elba vs LUKS — full-disk vs per-folder encryption on Linux
*Keyword: “elba vs luks”.*
URL: https://elba.works/guides/elba-vs-luks

LUKS encrypts an entire disk at rest — powerful, but ‘at rest’ ends the moment you log in. Elba encrypts a single folder that stays sealed even while the machine is running. The two are complementary on Linux.

#### Use LUKS for
Protecting the whole machine against theft when it is powered off.

#### Use Elba for
Protecting specific folders while you're logged in and using the machine — the vault stays sealed until you enter its password.

#### FAQ
- **Do I need admin to use Elba on Linux?** — No. LUKS needs admin to configure; Elba runs as your normal user.
- **Do they interfere?** — Not at all. LUKS is a lower-level disk feature; Elba is a browser tool.

---

### Elba vs Picocrypt — tiny installer vs one HTML file
*Keyword: “elba vs picocrypt”.*
URL: https://elba.works/guides/elba-vs-picocrypt

Picocrypt is a well-regarded, small cross-platform installer that encrypts files with Argon2 and XChaCha20. Elba is a single HTML file with AES-256-GCM and PBKDF2, delivered without an installer.

#### Pick Picocrypt if
You want Argon2's stronger resistance to custom hardware and don't mind installing a small binary per OS.

#### Pick Elba if
You want zero installation, one file that works everywhere with a Chromium browser, a declining one-time price, and mortalware licensing to 2030.

#### FAQ
- **Is AES-256-GCM weaker than XChaCha20?** — No — both are considered strong. The difference is real but small at the primitive level.
- **Can I use both?** — Yes. Some people use Picocrypt for archives and Elba for a working folder.

---

### Elba vs Signal ‘Note to Self’ — private chat vs sealed folder
*Keyword: “elba vs signal note to self”.*
URL: https://elba.works/guides/elba-vs-signal-note-to-self

Signal's ‘Note to Self’ conversation is a fine encrypted scratchpad. Elba is a proper file vault. They complement each other: quick thoughts to Signal, folders and documents to Elba.

#### Where Signal wins
Fast entry on your phone, sync between your Signal-linked devices, and no separate password to remember beyond your Signal PIN.

#### Where Elba wins
Arbitrary file types, folder-scale archives, and independence from any account or vendor.

#### FAQ
- **Is Signal's Note to Self really encrypted at rest?** — Yes, tied to your device's storage encryption and Signal's own protections.
- **Should I keep passwords in Signal notes?** — For a scratch one-liner, maybe. For a real list, use Elba (or a password manager).

---

## Answers — short, direct answer pages
_50 answers, grouped by cluster._

### Cluster A — The escape queries

### VeraCrypt is too complicated — is there a simpler way to encrypt one folder?
*Cluster A — The escape queries. Keyword: “veracrypt too complicated simpler alternative”.*
URL: https://elba.works/answers/veracrypt-too-complicated-simpler-way

Yes. VeraCrypt is excellent, uncompromising software — and it is unmistakably built for people who read cryptography documentation for fun. If you only want to seal one folder on your own laptop, you don't need volumes, hidden containers, keyfiles, or a mount step. You need a password and a file that turns your folder into ciphertext when you close it and back into a folder when you open it.

#### What VeraCrypt is good at, honestly
VeraCrypt shines when you need a large encrypted volume, plausible deniability with hidden containers, or full-disk encryption on Windows. It has been audited, it is free, and it will outlive most of us. If your threat model needs those features, use it.
The complexity people bounce off is not incidental — it is the price of the feature set. Volume creation wizards, mounting, dismounting, keyfile management, and the mental model of 'a file that pretends to be a disk' are all real things you have to hold in your head.

#### When 'one folder, one password' is enough
Most people asking this question don't need a virtual disk. They have a folder of tax documents, or a journal, or a passport scan, and they want it unreadable when the laptop is closed and readable when they type a password.
For that job, a single-file encryption tool is the honest match. No install, no mount, no admin rights. You open the tool, point it at the folder, and set a password. It writes an encrypted bundle next to it.

#### Where Elba sits
Elba is one HTML file. You open it in Chrome, Edge, Brave, or Arc; it seals a folder with AES-256-GCM inside that tab. There is no install, no account, no network. When you close the tab, it is gone; when you open it again, it is exactly what you saved.
Elba does less than VeraCrypt on purpose. There is no volume, no hidden container, no mount. If those are what you need, VeraCrypt remains the right answer. If they are not, the simpler tool is the safer tool to actually use.

#### FAQ
- **Is Elba as secure as VeraCrypt for a single folder?** — For the 'encrypt one folder with a password' job, both use standard, audited primitives — AES-256 in a modern authenticated mode with a key derived from your passphrase. Neither has a shortcut past a strong password.
- **Can I keep using VeraCrypt for big volumes and Elba for small folders?** — Yes. They solve different jobs and do not conflict. Many people do exactly this.
- **Does Elba have hidden containers or plausible deniability?** — No. If plausible deniability is part of your threat model, use VeraCrypt.

---

### Cryptomator vs a single-file vault — which one for a folder that never leaves your computer?
*Cluster A — The escape queries. Keyword: “cryptomator vs single file vault local folder”.*
URL: https://elba.works/answers/cryptomator-vs-single-file-vault

Cryptomator is designed around one very specific job: making a cloud sync folder — Dropbox, iCloud, OneDrive — encrypted from the moment your file leaves your machine. It does that job beautifully. If your folder never leaves your computer, you're paying for a feature you don't use.

#### What Cryptomator optimises for
Cryptomator encrypts files individually and stores them in a folder structure a sync client can walk. That is the whole trick: your cloud provider sees encrypted blobs, syncs them, and never sees your filenames or contents.
The consequence is that you always work with a mounted virtual drive. You install the app, unlock the vault, and use it like a normal folder. When you're done, you lock it. It is well-made and free.

#### What a single-file vault optimises for
A single-file vault takes a folder and turns it into one encrypted bundle. There is no per-file structure to sync, no mounted drive, and no install. You get one file that is either sealed or not.
For a folder that lives on your laptop and never touches a cloud, that is the smaller and honest shape. Fewer moving parts, no background process, no daemon watching the folder.

#### How to choose
Use Cryptomator when the folder must sync to a cloud provider you do not want to trust with its contents.
Use a single-file vault (Elba is one) when the folder lives on your machine, or on a USB stick, or in a backup you make yourself. It ships as one HTML file, runs in a Chromium browser, uses AES-256-GCM, and makes no network requests.

#### FAQ
- **Can I put a single-file vault inside a cloud folder?** — Yes — the encrypted bundle is ordinary bytes and can sync safely. The tradeoff is you upload the whole bundle when any file inside changes, versus Cryptomator's per-file sync.
- **Is one more secure than the other?** — Both use modern authenticated encryption with key derivation. Neither is meaningfully stronger for the same passphrase; they are shaped for different workflows.
- **Does Elba need to be installed?** — No. It is a single HTML file that runs in your browser.

---

### How to encrypt a folder without installing any software
*Cluster A — The escape queries. Keyword: “encrypt folder without installing software”.*
URL: https://elba.works/answers/encrypt-folder-without-installing

You have three real options: your operating system's built-in encryption (BitLocker, FileVault, LUKS), a portable command-line tool run from a USB stick (age, gpg, 7-Zip's portable build), or a single-file browser tool that uses the browser's own crypto. Each avoids the classic 'download the setup.exe' step, and each has a shape you should choose deliberately.

#### Option 1: what your OS gives you
Windows Pro has BitLocker To Go for USB drives; macOS has Disk Utility for encrypted DMGs; Linux has LUKS. These are excellent for whole-disk or whole-drive protection. For 'one folder inside my Documents', they are awkward, and BitLocker in particular requires admin rights.

#### Option 2: portable command-line tools
age, gpg, and 7-Zip all have portable builds you can run from a USB stick with no install. They are strong and free. The friction is the terminal — you need to remember flags, and 'encrypt this folder' becomes 'tar it, then pipe it to the tool, then delete the plaintext'.

#### Option 3: a single browser file
Every modern computer already has a Chromium-family browser with an audited AES-GCM implementation built in. A single HTML file can use that crypto to seal a folder, and it runs on any OS without installation or admin rights.
Elba is that file. You open it, drop a folder in, set a passphrase. It writes an encrypted bundle beside the folder. No setup, no service, no account.

#### FAQ
- **Does 'no install' also mean 'no admin rights'?** — For Elba, yes — you only need a browser you already have. For BitLocker or FileVault, you typically need admin access to enable the feature.
- **Can I run Elba from a USB stick?** — Yes. Copy the HTML file to the stick and open it from there. It carries nothing between machines.
- **Is there anything to uninstall later?** — No. Delete the HTML file and it is gone. Nothing is written to your system.

---

### A password vault you buy once — no subscription, no monthly fee
*Cluster A — The escape queries. Keyword: “one time purchase password vault no subscription”.*
URL: https://elba.works/answers/one-time-purchase-encryption

One-time-purchase encryption software still exists — it is simply less loud than the subscription category. You are trading three things for a smaller price tag: no cloud sync you didn't ask for, no team features, and no ongoing bug-fix cadence funded by monthly revenue. For most personal 'keep this folder to myself' cases, that is a fair trade.

#### Why so much of this became a subscription
Subscription pricing funds cloud infrastructure, cross-device sync, shared team vaults, and continuous product engineering. If you need those, the subscription is honest.
If you do not — if you have one machine, one folder, and no team — you are paying rent on features you never open.

#### What a one-time-purchase file vault gets right
You own the file. If the company disappears, your copy still runs. If they change their mind about pricing, your copy still runs. If they add features you don't want, you can ignore the update.
The tradeoff is honest: no sync, no shared teams, sometimes no automatic updates. For a personal folder, that is often the point.

#### Elba's shape
Elba is €49 today. The price falls every year until 1 January 2030, when the source becomes free. You buy the HTML file once and keep it forever. No account, no server contact, no upgrade nag.

#### FAQ
- **Do I get updates?** — Yes, for the life of the current major version. You never pay again for the version you bought.
- **What if the company closes?** — The file you bought still works forever, and the source becomes free in 2030 by license — even if we vanish.
- **Is this a good replacement for 1Password?** — For team credential sharing across devices, no. For 'a folder of secrets on my laptop', yes.

---

### 1Password alternative with no account, no cloud, and no company in the middle
*Cluster A — The escape queries. Keyword: “1password alternative no account no cloud”.*
URL: https://elba.works/answers/1password-alternative-no-account

1Password is a great product for its actual job: syncing credentials across a family or a team, across many devices, with a well-designed autofill flow. If your job is smaller — a single folder of secrets on a laptop — an account-based service is more infrastructure than the problem asks for.

#### What you keep by leaving the account behind
No provider vault to be breached (however well protected). No subscription clock. No login step. No 'sign in to view your data' on a new machine — you copy your file.

#### What you give up honestly
Browser autofill. Cross-device sync you didn't set up. Shared vaults with your partner. Secure notes that appear in a mobile app. If those matter, 1Password remains the right tool.

#### The single-file alternative
For a folder of passwords, seed phrases, recovery codes, and login notes that stays on your laptop, Elba is enough. One HTML file opens in a browser, seals the folder with AES-256-GCM, and never talks to a server. You can back up the sealed bundle anywhere.

#### FAQ
- **Can I sync it to my phone?** — Not directly — Elba is a desktop tool. If you need a phone autofill flow, a service like 1Password is the right shape.
- **Is a text file inside an encrypted folder really enough?** — For most personal use, yes. The security is in the encryption, not the format of the notes.
- **Do I need to trust the company that made this?** — Less than you think. Elba's source is in the file you download, and it becomes fully open source in 2030.

---

### Is 7-Zip password protection actually secure enough for personal documents?
*Cluster A — The escape queries. Keyword: “7zip password protection secure enough personal documents”.*
URL: https://elba.works/answers/is-7zip-password-secure-enough

For personal documents, yes — 7-Zip's AES-256 encryption is real, standard cryptography, and a strong passphrase is not brute-forceable in any human timeframe. The two honest concerns are that filenames are only hidden if you tick a specific box, and that most people accidentally use ZIP's much weaker legacy encryption when they think they're using AES.

#### What 7-Zip actually gives you
When you create a .7z archive with the 'Encrypt file names' box checked and a good password, you get AES-256-CBC encryption of the contents and the file listing. This is fine cryptography for personal documents.
When you create a .zip archive with a password, you almost always get either the weak legacy ZIP cipher or AES-256 only if your tool supports WinZip's AE-2 extension. Do not assume 'ZIP with password' means AES.

#### The two footguns
Forgetting to encrypt filenames — the archive contents are unreadable, but 'passport.jpg' in the file listing tells someone exactly what you have.
Using a weak password. 7-Zip's key derivation is decent but not slow. A four-word passphrase resists offline cracking; a single word does not.

#### When a purpose-built tool helps
7-Zip is a compression tool that happens to encrypt. A tool built to encrypt handles the defaults for you: filenames always sealed, key derivation tuned, one file that either opens with your passphrase or does not. Elba is that tool — one HTML file, AES-256-GCM, PBKDF2, no network calls.

#### FAQ
- **Is 7-Zip enough for tax documents?** — Yes, with .7z format, the 'Encrypt file names' box checked, and a strong passphrase.
- **Is a ZIP password the same thing?** — Almost never. Most ZIP tools default to the weak legacy cipher — treat a plain password-protected ZIP as obscurity, not security.
- **What is the practical difference from Elba?** — 7-Zip encrypts an archive on demand; Elba treats the encrypted state as the folder's normal state, and its purpose is protection first.

---

### Alternatives to BitLocker when you only want to encrypt one folder, not the whole drive
*Cluster A — The escape queries. Keyword: “bitlocker alternative encrypt one folder not whole drive”.*
URL: https://elba.works/answers/bitlocker-alternative-one-folder

BitLocker is drive-level encryption. It answers 'if my laptop is stolen, is the disk readable?' — brilliantly, when enabled. It does not answer 'is this specific folder unreadable to someone using my logged-in account'. Those are different jobs, and if you want the second, you need a different tool.

#### Why 'a folder inside Documents' is a different problem
Once you're logged in, BitLocker has already done its job — everything on the drive is decrypted and available to any process running as you. A folder-level lock is what protects against someone using your unlocked machine, a shared account, or a family computer.

#### What to reach for instead
Windows Pro users have EFS (right-click → Properties → Advanced → 'Encrypt contents to secure data'), but the guarantees are weaker than most people assume and it is tied to your Windows account.
For a real folder-level lock, a purpose-built file vault is the right shape. Elba is one HTML file — no admin rights, no Windows edition requirement, works on Home. AES-256-GCM, browser-based, no network.

#### FAQ
- **Do I need to disable BitLocker to use Elba?** — No. They protect at different layers and stack cleanly — disk-level plus folder-level is a good combination.
- **Does Elba need Windows Pro?** — No. It runs in any Chromium browser on any Windows edition, including Home.
- **Will Elba encrypt my whole C: drive?** — No — that is BitLocker's job. Elba seals a folder you choose.

---

### Encrypted notes app that works without signing up for anything
*Cluster A — The escape queries. Keyword: “encrypted notes app no signup no account”.*
URL: https://elba.works/answers/encrypted-notes-app-no-signup

You do not need a notes service to have private notes. Every operating system ships a text editor. Every text editor produces a .txt or .md file. The whole 'account' step exists to sync those files across devices — if you have one device, you can skip it entirely.

#### The pattern
Write your notes as plain .md files with any editor — Notepad, TextEdit, VS Code, Obsidian pointed at a local folder. Keep them in one folder called 'notes'. Seal that folder with a single-file encryption tool when you close the laptop; unseal it when you sit down.

#### What you keep
Ownership of the files in a format that will read on any computer in 2050. No lock-in. No 'the service is shutting down; please export by June'. No account someone can compromise.

#### Where Elba fits
Elba is a single HTML file that seals a folder with AES-256-GCM. Point it at your notes folder; it becomes one encrypted bundle. Open Elba, type your passphrase, and the folder is back. Nothing to sign up for; nothing about your notes ever leaves the browser tab.

#### FAQ
- **Can I use Obsidian this way?** — Yes — keep your vault as a plain folder, and seal that folder with Elba when you're not using it.
- **What about tags and search?** — Editors like Obsidian give you both, on plaintext files, while the vault is open. When sealed, contents are unindexable.
- **Is this really as secure as a dedicated notes app?** — For the encryption itself, yes — the cipher is the same. The difference is convenience and cross-device sync.

---

### File encryption for people who don't trust 'military-grade' marketing
*Cluster A — The escape queries. Keyword: “military grade encryption marketing honest”.*
URL: https://elba.works/answers/military-grade-marketing-honest-encryption

'Military-grade encryption' means, at most, 'we use AES-256'. So does every browser, every phone, and every ZIP tool made in the last decade. The phrase is a tell that the marketing copy is doing more work than the engineering claims. Here is what to look for instead.

#### What actually matters on a product page
Which cipher and mode (AES-256-GCM and ChaCha20-Poly1305 are current defaults). Which key-derivation function and its cost (PBKDF2 with a high iteration count, Argon2id with sensible memory). Whether the client talks to any server. Whether the source is inspectable. Whether the vendor has an incentive-aligned end (open source, receivership, source escrow).

#### Smells to walk away from
'Military-grade' with no primitive named. 'Zero-knowledge' as the only cryptographic claim. Screenshots of soldiers or padlocks. A pricing page that talks about 'peace of mind' more than the key-derivation function. No mention of an audit or open-source status.

#### How Elba tries to be honest
AES-256-GCM, PBKDF2 with 600,000 iterations, WebCrypto in a Chromium browser. Source ships in the file — right-click, view source. Becomes open source on 1 January 2030 by license. Makes zero network calls; verify this yourself in DevTools.

#### FAQ
- **Is AES-256 actually strong?** — Yes — genuinely. The marketing is silly, not the cipher.
- **Why does key derivation matter?** — Because your passphrase is the weak link. Slow derivation makes brute-forcing weak passwords orders of magnitude more expensive.
- **Is 'zero-knowledge' meaningless?** — No — it's a real term. It's just often used by services that also want you to give them your files, which is the tension.

---

### What happens to your encrypted files when the company behind the app shuts down?
*Cluster A — The escape queries. Keyword: “encryption app company shuts down what happens files”.*
URL: https://elba.works/answers/what-if-company-behind-encryption-shuts-down

This is the question no privacy service wants to answer in writing. The short answer: your files survive only if (1) you can still run the software, (2) the format is documented, (3) no server is required to open them, and (4) a legal path exists to the source if the company vanishes. Most products fail at least two of those tests.

#### The four survival tests
Can you run it offline forever? A subscription client that phones home for a license check fails on day one after shutdown.
Is the format documented? A closed proprietary container is only openable by the company's own software.
Does opening require their server? Any 'log in to view' step means your files are hostage to their uptime.
Is there a legal escape hatch? Open source, source escrow, or a scheduled liberation clause turns 'the company closed' into an inconvenience, not a disaster.

#### How Elba was built to pass all four
The HTML file runs offline forever. The format is AES-256-GCM with PBKDF2 — standard primitives any cryptographer can implement in a day. It never contacts a server to open a file. And the license makes the source public on 1 January 2030 — even if the company is gone by then, your files stay readable.

#### FAQ
- **What if I lose the HTML file?** — Redownload it — but also, any implementation of AES-256-GCM + PBKDF2 with the documented parameters can open your vaults after 2030.
- **Is the 2030 date really guaranteed?** — It is written into the license itself and the source is already in the file you own. There is no button we can press to un-guarantee it.
- **Does this apply to VeraCrypt too?** — Yes — VeraCrypt is open source and its format is public. Also a survivor.

---

### Cluster B — The problem queries

### How to keep files private from the cloud sync client that watches your whole disk
*Cluster B — The problem queries. Keyword: “cloud sync client watches whole disk private files”.*
URL: https://elba.works/answers/cloud-sync-client-watches-whole-disk

The desktop cloud clients — Dropbox, iCloud, OneDrive, Google Drive for desktop — need broad filesystem access to do their job. Even with the folder outside the sync directory, a modern sync client can index, cache, or preview files depending on OS permissions. The reliable answer is to keep sensitive files in a form the client cannot meaningfully read: encrypted at rest, opened only when needed.

#### What the sync client can actually see
On macOS, Dropbox and OneDrive have Full Disk Access by default after install. On Windows, OneDrive is part of the OS. Whether a specific client indexes files outside its sync folder varies, but the capability is there and quiet changes to defaults are common.

#### The clean answer
Keep the folder encrypted at rest. When sealed, the sync client sees one opaque bundle; when unsealed, work in it briefly and re-seal. This is not paranoia — it is a small habit that removes the client's read capability entirely.
Elba does this in one HTML file: AES-256-GCM, browser-based, no network. The sealed bundle can even sit inside your cloud folder — the cloud stores your island; it cannot set foot on it.

#### FAQ
- **Can't I just uninstall Dropbox?** — You can, but many people need it for work. Encrypting a folder lets you keep the sync client and keep some files private.
- **Does the client see the passphrase when I open the vault?** — No — the passphrase never leaves the browser tab and the derived key is never written to disk.

---

### How to store files in Google Drive so that Google can't read them
*Cluster B — The problem queries. Keyword: “google drive private encryption cannot read files”.*
URL: https://elba.works/answers/google-drive-cant-read-files

Google Drive encrypts files at rest and in transit, but Google holds the key. That means Google — or anyone who compels Google — can read the files. If you want Drive to be a dumb, encrypted backup, you need to encrypt the files on your machine before they sync, using a key Google never sees.

#### What Google's encryption actually protects against
Server disk theft, in-transit interception, and casual employee access. It does not protect against legal process, an internal breach with key access, or Google itself. That is the honest picture.

#### Client-side, before upload
Encrypt the folder into a single sealed bundle on your machine. Put the bundle in Drive. Drive syncs an opaque file. You unseal it locally when you need the contents.
Elba does this without an install. Open the HTML file, seal your folder, drop the bundle in Drive. The passphrase is never uploaded and never leaves the browser tab.

#### FAQ
- **Can I still preview files in Google's web UI?** — No — Google sees only ciphertext. Preview requires unsealing on your machine. That is the tradeoff of real client-side encryption.
- **Does this work for shared files?** — Yes, if you share the passphrase over a different channel. If you need Google Docs collaboration, you cannot have both — pick per file.

---

### Encrypt files *before* they reach Dropbox, iCloud, or OneDrive
*Cluster B — The problem queries. Keyword: “encrypt files before dropbox icloud onedrive”.*
URL: https://elba.works/answers/encrypt-before-cloud-sync

Cloud providers can only sync what you give them. If the file arrives at their servers already encrypted with a key they will never have, everything downstream — replication, indexing, previews, third-party access — is stuck at ciphertext. This is the whole point of client-side encryption.

#### The workflow
Pick the folder you want to sync but not expose. Seal it into an encrypted bundle on your machine. Put the bundle in your sync folder. The sync client uploads bytes it cannot read. You unseal it locally when you need the contents.
The tradeoff is granularity — the sync client uploads the whole bundle when any file inside changes, versus syncing individual files. For a personal 'documents' folder, this is usually fine.

#### One HTML file as the sealer
Elba is a single HTML file that opens in Chrome or Edge. Point it at a folder; it produces one encrypted bundle. No install, no account, no network requests. The sealing happens entirely in the browser tab.

#### FAQ
- **What about Cryptomator?** — Cryptomator encrypts per file, which is better if you need selective sync. Elba encrypts the whole folder into one bundle, which is simpler if you don't.
- **Can I open the bundle on a phone?** — Not currently — Elba is a desktop tool. Bring the bundle back to your laptop, open Elba, and unseal there.

---

### How to keep a private folder on a computer your family also uses
*Cluster B — The problem queries. Keyword: “private folder shared family computer”.*
URL: https://elba.works/answers/encrypt-shared-family-computer

A separate user account is the first move — it gives you file-permission separation. But the family often knows the password to the family account, kids share accounts, and 'switch user' is a step nobody takes to look up a recipe. The reliable answer is a folder that is unreadable to everyone until a passphrase only you know is typed in.

#### Why account separation is not enough
The admin on the machine can reset your password, boot from a USB, or simply read the disk. Even with strong account discipline, one shared login habit and the fence is gone. Encryption at rest survives all of that.

#### A shared-computer setup that actually holds
Keep one folder — 'private' or whatever unassuming name — sealed at all times. Open your browser, load Elba, type the passphrase to unseal it. Do what you need. Re-seal before you walk away.
Elba works in any Chromium browser on the family laptop, needs no install, and leaves nothing behind after the tab closes.

#### FAQ
- **What if a family member sees the HTML file?** — There is nothing to hide there — it is the encryption tool, not the secrets. Without your passphrase it is useless to them.
- **Can the browser remember my passphrase?** — No, and Elba deliberately does not offer to. If you want to reduce typing, use a long passphrase you can remember.

---

### How to hide folder names and structure, not just file contents
*Cluster B — The problem queries. Keyword: “hide folder names structure metadata encryption”.*
URL: https://elba.works/answers/hide-folder-names-and-structure

The filename is often the most sensitive part. 'audit-response.docx' or 'divorce-timeline.md' tells the whole story before anyone opens a byte. Any real folder-encryption tool has to hide the file listing itself, not just the contents. A surprising number of them do not, by default.

#### Two shapes: per-file, and one-bundle
Per-file tools (Cryptomator, some ZIP configurations) encrypt each file separately, which means someone with disk access can still see file sizes, timestamps, and the folder shape. Some hide filenames; some do not.
One-bundle tools take the whole folder and produce a single encrypted blob. From outside, it is one file — no listing, no per-file sizes, no per-file timestamps.

#### How Elba handles it
Elba writes one sealed bundle. The filename you give it is the only visible name; everything inside — file names, folder structure, per-file sizes and timestamps — is inside the ciphertext. The observable surface is 'one encrypted file, made on this date'.

#### FAQ
- **Do file sizes leak inside the bundle?** — The total bundle size is visible; per-file sizes are not, because there is no filesystem structure outside the ciphertext.
- **Do timestamps leak?** — The bundle's own modification time is visible (any file has one). Per-file timestamps are inside.
- **Is this the same as VeraCrypt?** — Comparable — VeraCrypt volumes also hide internal structure. The difference is that Elba's bundle is a plain file, not a mounted volume.

---

### Encrypted storage that works completely offline — no internet required, ever
*Cluster B — The problem queries. Keyword: “encrypted storage offline no internet required”.*
URL: https://elba.works/answers/encrypted-storage-offline-no-internet

Offline-only encrypted storage means the tool never touches the network, in any circumstance — not to activate, not to check for updates, not to phone a telemetry endpoint. This is rarer than you'd think. Many 'offline' products do a one-time activation the first time you install them; some check licenses periodically after.

#### The airgap-friendly checklist
No install step that reaches the internet. No first-run activation. No license server. No update check. No telemetry, opt-in or otherwise. Ideally, source you can inspect to confirm the above.

#### Elba on an airgapped machine
Download the HTML file on any online computer. Copy it to a USB stick. Open it on an airgapped Chromium browser — it will not attempt to reach the network at any point. Verify this yourself in DevTools → Network tab: the list stays empty across seal and unseal.

#### FAQ
- **Does Elba check for updates?** — No. If we release a new version, you get it by choosing to download it. The file you own never reaches out.
- **Can I use it on a machine that has never touched the internet?** — Yes, that is the intended use for high-sensitivity work.

---

### How to password-protect a folder on a laptop you might lose
*Cluster B — The problem queries. Keyword: “password protect folder laptop lose theft”.*
URL: https://elba.works/answers/password-protect-folder-lost-laptop

For a laptop you might lose, the first thing is drive-level encryption — FileVault on Mac, BitLocker on Windows Pro, LUKS on Linux — enabled with a strong login password. That alone makes the disk unreadable to a thief. Layer on top: a folder-level seal for the files that matter most, so even a machine you left unlocked at a café is not exposing them.

#### Belt (drive) and braces (folder)
Drive encryption protects a powered-off, stolen laptop. Folder encryption protects an unattended, unlocked laptop. Both threats are real and both fixes are cheap.

#### The folder layer
Keep the sensitive folder sealed at rest. Unseal only when working in it, and re-seal before stepping away. Elba does the sealing without an install: one HTML file, browser-based, AES-256-GCM.

#### FAQ
- **Is drive encryption enough on its own?** — For the stolen-laptop scenario, mostly yes. For 'I left it unlocked', no — that is the folder-encryption job.
- **What if I forget my folder passphrase?** — The contents are gone. No backdoor. Choose a passphrase you can remember, and keep a written backup somewhere physical if the stakes are high.

---

### Why 'Encrypt contents to secure data' in Windows isn't the protection you think it is
*Cluster B — The problem queries. Keyword: “windows encrypt contents secure data EFS weak”.*
URL: https://elba.works/answers/windows-encrypt-contents-secure-data-truth

The Windows 'Encrypt contents to secure data' checkbox uses EFS — the Encrypting File System. It sounds like exactly what you want. In practice, it ties the encryption key to your Windows user account, which means anyone who can reset your Windows password or log in as you can read the files. That is not the threat model most people have in mind.

#### What EFS actually does
EFS encrypts files using a key derived from your Windows profile. When you log in, the files are transparently decrypted. When another user on the machine tries to open them, they can't — unless they've been added as authorized users, or unless they have admin rights and reset your password.

#### Where it falls short
Password reset by an admin. Booting from an external drive and reading the disk (unless BitLocker is also on). Home editions of Windows sometimes not exposing the feature. No visible indicator that a folder is EFS-protected. And, more subtle: EFS is not designed for portable backups — copy an EFS file to a USB stick and it decrypts on the way out.

#### What to reach for
For real folder-level protection, use a file vault that does not depend on your Windows account. Elba is one HTML file — the passphrase is yours, not the OS's. Reset your Windows password all you like; the sealed folder does not care.

#### FAQ
- **Is EFS useless?** — No — it is fine as a light layer, especially combined with BitLocker. It just is not the strong 'password-only' protection people assume.
- **Does Elba need admin rights?** — No. Any user account can open the HTML file in a browser.

---

### How to keep private files out of your operating system's search index
*Cluster B — The problem queries. Keyword: “exclude files operating system search index”.*
URL: https://elba.works/answers/keep-files-out-of-search-index

Both macOS Spotlight and Windows Search index file contents by default, so a search for a word can surface a file even if you'd forgotten it existed. You can add exclusion rules — Spotlight's Privacy tab, Windows Indexing Options — but they can be overridden, silently reset by updates, or bypassed by third-party desktop-search tools. The reliable answer is that the OS cannot index a file it cannot read.

#### Why exclusion lists are fragile
An OS update can reset your exclusion list. A third-party search tool ignores it entirely. A logged-in family member can turn it off. Configuration is not protection; it is a request the OS is free to reconsider.

#### The encrypted alternative
A sealed folder is a single opaque bundle. Nothing to index. When you unseal it, indexers may pick it up while it is open — so re-seal when you're done. Elba does the sealing with one HTML file, no install, no admin rights.

#### FAQ
- **Does the bundle itself get indexed?** — Its filename does; its contents cannot be. Give the bundle an unrevealing name if that matters.
- **What about backup software that indexes?** — Same rule: it sees the bundle, not the contents.

---

### What your file sizes and timestamps reveal even when files are encrypted
*Cluster B — The problem queries. Keyword: “encryption metadata leak file size timestamp”.*
URL: https://elba.works/answers/file-sizes-timestamps-leak-encryption

Encrypting file contents is necessary but not sufficient. A folder called 'legal', with a 40-page PDF timestamped the day before you filed a claim and a small note timestamped an hour later, tells the story without a single byte of plaintext. The metadata is the sensitive part more often than people expect.

#### What leaks with per-file encryption
Filenames (unless the tool hides them). Directory structure. Per-file sizes — a 12 MB file next to a 3 KB note is a distinctive signature. Modification times — a burst of edits on a specific day.

#### What a single-bundle vault hides
One outer file. One outer size (padded is even better). One outer timestamp. Everything internal — names, sizes, structure, per-file timestamps — is inside the ciphertext and invisible.
Elba writes one bundle. You choose the outer filename. The observable surface is 'a file, sealed on this date' — nothing else.

#### FAQ
- **Should I pad the bundle to a round size?** — For very sensitive work, yes — pad to a round number like 100 MB to hide the true content size.
- **Does Elba pad automatically?** — Not by default; padding is optional. Most users don't need it, and padding wastes disk.

---

### Cluster C — The life queries

### Where to keep passport and ID scans safely on your own computer
*Cluster C — The life queries. Keyword: “store passport ID scans safely on computer”.*
URL: https://elba.works/answers/passport-id-scans-safely

Passport, driver's licence, birth certificate, national ID — you want scans reachable from your laptop when you're booking a visa at midnight, and you want them unreadable to anyone else, forever. The pattern that works: originals in a physical safe or with a trusted person; scans in an encrypted folder on your machine; one copy of that folder on a USB stick, kept somewhere else.

#### Why 'attached to an email' or 'in a Notes app' is not enough
Email search history is forever, easy to breach, and shared with any device that reads your mail. Consumer notes apps sync in cleartext to the provider by default. A stolen phone is a data breach with a very small blast radius. An encrypted folder on your laptop is neither.

#### The setup
Scan at readable resolution. Store as one folder called 'ID' with clear filenames. Seal the folder with a file-vault tool. Copy the sealed bundle to a USB stick you keep at home or with family. That's it.
Elba is a single HTML file. Point it at your ID folder; it produces the sealed bundle. AES-256-GCM, no cloud, no account.

#### FAQ
- **Should I keep a paper copy too?** — Yes — for the situations where the laptop is the thing you've lost.
- **What passphrase should I use?** — Something you can remember unaided (four random words is plenty). Write it down and put it with the paper originals if the stakes are high.

---

### The safest way to store a will and estate documents digitally
*Cluster C — The life queries. Keyword: “store will estate documents digitally safely”.*
URL: https://elba.works/answers/store-will-estate-digitally

The signed, witnessed original of your will still needs to be on paper — no digital format is a legal substitute in most jurisdictions. What a digital copy gives you is a searchable, portable, always-current reference set: latest version, supporting documents, account lists, letters of intent. Keep that set encrypted, and make sure exactly one trusted person knows how to reach it.

#### What goes in the digital set
A copy of the current will. A schedule of accounts and where the paper originals are. A list of subscriptions to cancel. Letters to specific people. Instructions for pets, funeral, and digital accounts.

#### How to seal it, and how to pass the key
Put the set in one folder. Seal it into an encrypted bundle. Give the sealed bundle to your executor (email, USB, cloud — doesn't matter, it is ciphertext). Give the passphrase separately, through a different channel and preferably with a written copy in a safe.
Elba's shape fits this well: one HTML file, one sealed bundle, offline forever, source becomes free in 2030 so your executor can always open it.

#### FAQ
- **Can I use a shared cloud folder?** — Yes, if the bundle is encrypted client-side. The provider stores an opaque file.
- **What if my executor loses the passphrase?** — The contents are gone. A written backup in a safe, or in a sealed envelope with a lawyer, is the standard fix.

---

### A truly private place to keep a journal on a laptop
*Cluster C — The life queries. Keyword: “truly private journal laptop encryption”.*
URL: https://elba.works/answers/private-journal-on-laptop

A journal that you know a service could read, or a synced folder that a family member might stumble on, is a journal you will write differently. Real privacy is the condition, not a feature — the sentence you write when you are certain nobody else will read it is not the sentence you write otherwise. The setup that gets you there is boringly small.

#### The setup
One folder called 'journal', full of plain .md files — one per day, or one per entry. Any editor works. When you close the laptop, seal the folder; when you open the laptop, unseal.
Plain markdown means your journal will read on any computer in 2050. No app lock-in, no export mess later.

#### Why encryption specifically
OS-level user accounts don't help if a family member knows your login. Cloud-synced notes apps have the provider in the loop and often a preview thumbnail cached somewhere. Encryption at rest — a passphrase only you know — is the one setup where the sentence 'nobody but you can read this' is true without asterisks.
Elba is one HTML file that seals a folder with AES-256-GCM. No account, no server contact, no telemetry.

#### FAQ
- **Can I use Day One or another journal app?** — You can — but the provider sees your entries by default. If that is fine for you, that's fine. If the point is that nobody sees them, encryption at rest is the honest shape.
- **What if I want to write on my phone?** — Note it on your phone in a temporary app; move the text into the sealed folder on your laptop at day's end. The laptop is the vault; the phone is a scratchpad.

---

### How to store recovery codes and seed phrases offline without a hardware wallet
*Cluster C — The life queries. Keyword: “seed phrase recovery codes offline no hardware wallet”.*
URL: https://elba.works/answers/seed-phrase-offline-no-hardware-wallet

For serious cryptocurrency holdings, a hardware wallet is the right tool. For a small hot wallet, a set of 2FA recovery codes, or a backup of a wallet you already have on hardware, the pattern that works is dead simple: write the phrase on paper in a safe, and keep an encrypted digital copy on your laptop.

#### Paper is not optional
Paper survives dead laptops, dead hard drives, and forgotten passphrases. Two copies in two locations is standard for anything you cannot afford to lose.

#### The digital copy
Type the phrase into a .txt file in a folder called 'wallets'. Seal the folder. The sealed bundle is safe to back up anywhere — USB stick, encrypted cloud, second computer.
Elba does the sealing offline: one HTML file, AES-256-GCM, no network. The passphrase you use to seal it is different from the seed phrase itself; treat them as two locks.

#### FAQ
- **Is this as safe as a hardware wallet?** — For the very large case, no. For 2FA recovery codes and small hot wallets, it is a genuinely reasonable tier.
- **What about typing the phrase into a password manager?** — Fine, if you trust the manager to hold your seed. Many people prefer a dedicated encrypted folder as a second layer.

---

### Keeping medical records and test results private on your own machine
*Cluster C — The life queries. Keyword: “keep medical records private on own machine”.*
URL: https://elba.works/answers/medical-records-private-on-machine

Medical PDFs sit forever in your Downloads folder and in email attachments — one of the most sensitive categories of personal data, treated the most casually. A ten-minute cleanup: pull them into one folder, seal it, delete the copies from Downloads and mail. From then on, new PDFs join the sealed folder on arrival.

#### The cleanup
Search your machine for common medical terms — 'lab', 'result', 'radiology', 'discharge'. Move everything into a folder called 'health'. Seal the folder. Empty the trash.
For future PDFs from portals: download once, move immediately into the sealed folder, unseal to open when needed, re-seal.

#### The tool
Elba is a single HTML file that seals the folder with AES-256-GCM. It never uploads anything and needs no account — appropriate for records that must not leave the machine.

#### FAQ
- **Is this HIPAA-compliant for a clinician?** — For patients, yes. For clinicians handling other people's records, HIPAA requires more (BAAs, audit logs) — see the dedicated clinician page.
- **Can I still email these to my doctor?** — Yes — unseal, attach, re-seal. The seal is for storage, not transit.

---

### Where writers keep unfinished manuscripts nobody is meant to see yet
*Cluster C — The life queries. Keyword: “writers unfinished manuscripts private no one see”.*
URL: https://elba.works/answers/unfinished-manuscripts-private

A first draft is a half-thought — reading it and reading the finished book are almost different acts. Every writer knows what happens to voice when there is a suspicion the room is not empty. The setup that keeps the room empty is boring: local files in a plain format, sealed when not being written in.

#### Format first
Write in something whose files you own outright — Scrivener project folders, plain markdown, Word docs, whatever. Avoid tools where 'the manuscript' is a cloud object you can't hold.

#### Sealing without breaking flow
Keep the manuscript folder sealed. When you sit down to write, unseal it, do the work, re-seal at the end of the session. It becomes as automatic as saving.
Elba is one HTML file — open it in a browser, seal the folder, close the tab. When you come back, open the file again and type your passphrase.

#### FAQ
- **What about backing up the manuscript?** — Copy the sealed bundle to a USB stick or a cloud folder. Sealed bytes are safe to store anywhere.
- **Won't the sync client pick up my draft while it is open?** — Only if the folder is inside a sync directory while unsealed. Keep it outside the sync folder; only the sealed bundle goes there.

---

### How to keep the photos and last messages of someone you've lost — privately
*Cluster C — The life queries. Keyword: “photos last messages someone died privately keep”.*
URL: https://elba.works/answers/photos-messages-of-someone-lost

There is a specific weight to opening a photos app and having a face you loved surface as 'On this day, four years ago' — the algorithm meant well and got it exactly wrong. Some memories are yours to reach for, on your own terms, not to be handed to you by a service optimising for engagement. A sealed folder is the shape of that choice.

#### What to gather
The photos you want. Text-message exports (both iOS and Android offer ways). Voice notes. Emails, if you kept them. A short letter to yourself explaining why you gathered this — the future you will thank the current you for it.

#### Sealing it
One folder, sealed. When you want to visit, you unseal; when you're done, you re-seal. Elba is one HTML file that does this without an account or an app store — nothing about this folder ever leaves your laptop.
Consider a passphrase that is meaningful only to you and is not written down anywhere digital. If you also want your family to be able to open it after you, follow the estate-documents pattern.

#### FAQ
- **What if a photo service already has these on their servers?** — You can leave those there or delete them. The sealed folder is about having your own copy on your own terms.
- **How do I stop 'On this day' notifications?** — Most photo services let you exclude specific dates or people from memory features — worth doing regardless.

---

### How to make sure your family can find your important files after you die
*Cluster C — The life queries. Keyword: “family find important files after die inheritance”.*
URL: https://elba.works/answers/family-find-important-files-after-death

Your executor needs three things the day after you die: to know a folder exists, to be able to open it, and to trust that its contents will still be readable in a decade. A single encrypted bundle, with clear instructions on paper about where it lives and how to open it, is the plainest arrangement that works.

#### What goes in
Location of the paper will. Account list with logins references (not passwords in cleartext — a password-manager reference is fine). Insurance policy numbers. Digital-account instructions. Letters to specific people. Funeral wishes.

#### The instruction sheet
One page on paper: 'The file elba.html is in [location]. The sealed bundle estate.elba is in [location]. Open elba.html in Chrome, drag estate.elba onto it, and enter the passphrase [in the envelope with the lawyer].' Boring and specific beats clever every time.

#### Why Elba survives you
The HTML file works offline forever. The source becomes public on 1 January 2030 by license, so any competent person can implement a reader if ours is gone. Your executor is not depending on a company that might not exist.

#### FAQ
- **What if the executor is not technical?** — The instruction sheet handles that. 'Open this file in Chrome. Drag this file onto it. Type this passphrase.' Three steps.
- **Can I put the passphrase with the will?** — Yes — many lawyers will hold it in a sealed envelope. That is a common and reasonable arrangement.

---

### How to leave a password to your heirs without giving it to a company
*Cluster C — The life queries. Keyword: “leave password heirs without giving to company”.*
URL: https://elba.works/answers/leave-password-to-heirs

Apple, Google, and most password managers offer 'legacy contact' features — they are convenient and they hand your data to the provider forever. If you'd rather your heirs not need a service to inherit your files, the older mechanisms still work: a sealed envelope with a lawyer, and split secrets across trusted people.

#### The lawyer's envelope
Write the passphrase on paper. Put it in an envelope. Give the envelope to your lawyer with instructions to open it only after your death and only to your named executor. This is a boring, tested arrangement your local jurisdiction will recognise.

#### Split secrets, if you like
For higher-stakes cases you can split a passphrase using Shamir's Secret Sharing — three people each hold a share; any two can reconstruct it, one alone cannot. It's a small amount of extra care in exchange for no single-envelope risk.

#### Elba's role
Elba is the file that reads the sealed bundle. It has no legacy-contact feature and no server; the arrangement is entirely between you, your executor, and whoever holds the passphrase. The company is not in the loop, which is the point.

#### FAQ
- **Isn't Shamir's Secret Sharing complicated?** — For most people, one envelope with one lawyer is fine. Reserve Shamir for the case where no single trustee is right.
- **What if the passphrase paper is lost?** — The contents are gone. That is the honest cost of not trusting a company with a backdoor.

---

### Keeping therapy notes and personal writing off the cloud entirely
*Cluster C — The life queries. Keyword: “therapy notes personal writing off cloud”.*
URL: https://elba.works/answers/therapy-notes-off-cloud

Notes-app terms of service change; 'AI features' get enabled by default in an update; a synced folder shows up on a family iPad by accident. For writing that touches therapy, self-work, or grief, the honest answer is to keep it off cloud services entirely — and to keep it in a format that outlives whatever editor you write in today.

#### The pattern
Plain markdown files in a local folder. Any editor. Seal the folder when you're done writing. When you sit down again, unseal, write, re-seal.

#### Why encryption in addition to 'no cloud'
A lost laptop, a family member, a repair shop, a border check — 'no cloud' handles the network side; encryption handles the machine side. Both matter and both are cheap.
Elba is one HTML file, AES-256-GCM, no network calls. The file itself is inert without your passphrase.

#### FAQ
- **Can I use Obsidian for this?** — Yes — a local vault of markdown files fits perfectly. Seal the vault folder with Elba when you're not writing.
- **What if I want to share a specific passage with my therapist?** — Copy it into an email or a session doc. The vault stays where it is.

---

### A private folder for divorce, custody, or legal documents
*Cluster C — The life queries. Keyword: “private folder divorce custody legal documents”.*
URL: https://elba.works/answers/divorce-custody-legal-documents

In an active legal matter, you will want a single, organised, easily searchable folder — timeline, correspondence, receipts, screenshots, court documents. You will also want that folder unreadable to anyone else on the machine, unreadable in a cloud sync, and readable to you in three years when the next chapter comes back around.

#### How to organise it
Subfolders: 'correspondence' (dated exports of relevant emails and messages), 'timeline' (one running markdown file), 'receipts', 'court', 'notes'. File names with ISO dates first (2026-07-08-name) so they sort right.

#### How to seal it
One sealed bundle at the top level. Unseal when working in it, re-seal when done. Elba is one HTML file — no install, no admin rights, no cloud, AES-256-GCM.
If your lawyer needs a copy, share the sealed bundle by whatever channel you both prefer; share the passphrase through a different channel.

#### FAQ
- **What if the other party subpoenas my devices?** — This is not legal advice. Encryption is legal in most jurisdictions; talk to your lawyer about what you must disclose and when.
- **Can I include audio recordings?** — Yes — the folder can contain any file type. Know your local law on recording consent.

---

### Where to keep tax records encrypted for seven years without a subscription
*Cluster C — The life queries. Keyword: “encrypt tax documents seven years no subscription”.*
URL: https://elba.works/answers/encrypt-tax-documents-locally

Tax authorities in most countries expect you to keep records for six or seven years. A subscription you pay every month for that window costs many times what a one-time tool costs, and it stakes your records on the vendor still existing. A local encrypted folder is the smaller shape.

#### One folder per year
'taxes-2024', 'taxes-2025', and so on. Inside: the return itself, receipts, statements, W-2s or their local equivalent, correspondence. When a year is closed, seal that year's folder into a bundle and archive it.

#### Where to keep the sealed bundles
One copy on your working laptop. One copy on an external drive or USB stick. Optional: one copy in your cloud provider — the bundle is opaque, so it is safe to store there without them seeing the contents.

#### Why Elba fits
One HTML file that opens in any Chromium browser, forever. Source becomes free in 2030 — well within the seven-year retention window for records you file today. If the makers vanish, the format is still openable.

#### FAQ
- **What if I get audited?** — Unseal the relevant year's bundle. Provide only what is requested. Re-seal when done.
- **Can I share a specific document with my accountant?** — Yes — unseal, copy the file out, share by your usual channel.

---

### Storing love letters, old and new, somewhere no algorithm reads them
*Cluster C — The life queries. Keyword: “love letters old new encrypted no algorithm reads”.*
URL: https://elba.works/answers/love-letters-off-algorithms

Emails you meant, drafts you never sent, exports of message threads that mattered — they are the kind of writing that reads differently five years later, and reads worst of all as training data. Keeping them local and encrypted is a small courtesy to the person you were when you wrote them and to the person you'll be when you next open them.

#### Gathering the archive
Export message threads (both iOS and Android have paths). Save relevant emails as .eml or PDF. Put physical letters through a scanner. Put everything in one folder, sorted by year.

#### Sealing it
One sealed bundle at the top. Unseal when you want to reread; re-seal when you're done. Elba is one HTML file, AES-256-GCM, no account, no network — nothing about this folder ever leaves the browser tab.

#### FAQ
- **Won't the messages app keep a copy?** — It will, until you delete them there. Whether you do is up to you — the local sealed folder is the copy that endures on your terms.
- **Is it strange to seal love letters?** — It is exactly the right register for them.

---

### What to do with the folder you don't want anyone to find until the right time
*Cluster C — The life queries. Keyword: “folder not want anyone find right time seal”.*
URL: https://elba.works/answers/folder-not-found-until-right-time

There is a specific kind of folder that is not for now — a letter for a wedding twenty years off, a message for a child's eighteenth, notes for the family after you're gone. The setup is the same as an estate folder, but the instruction is different: 'open on [date]', or 'open only if [condition]'. What holds the folder shut is discipline plus encryption.

#### The mechanics
Seal the folder with a passphrase. Give the sealed bundle to the recipient (or to their guardian) now, with a paper instruction naming the date or condition. Give the passphrase separately: in an envelope with a lawyer to be opened on the date, or with a trusted third party.

#### Why Elba works long-term
The HTML file is offline-forever. The source becomes free in 2030 — well before most 'time capsule' opens. Whoever holds the bundle in twenty years can open it with a copy of the file, or with any conforming AES-256-GCM implementation once the source is public.

#### FAQ
- **What if the recipient loses the passphrase?** — Give it to a second trusted party. Two envelopes, two rooms — very standard.
- **Can I re-seal with a new date later?** — Yes — open it, add or edit, re-seal with the same or new passphrase.

---

### Cluster D — The professional queries

### How lawyers can store client files without cloud processing or DPAs
*Cluster D — The professional queries. Keyword: “lawyers client files no cloud processing dpa”.*
URL: https://elba.works/answers/lawyers-client-files-no-cloud-dpa

Cloud-hosted case management is fine for most matters, but some clients — journalists, whistleblowers, sensitive family cases — want written assurance that documents never touch a third-party processor. A local-only tier, with client files encrypted on the lawyer's machine and never uploaded, satisfies that specific request without asking you to change how you run the rest of your practice.

#### What local-only actually means
The files live on your machine. They are encrypted at rest. They are not synced to a cloud case system, are not indexed by cloud desktop search, and are not backed up automatically to a provider. Backup is your responsibility — one encrypted external drive is the standard shape.

#### What this does not replace
Bar retention rules. Conflict checks. Court-mandated disclosure. E-discovery obligations. These sit above the storage question. A local-only tool is the storage answer; the compliance answers are yours.

#### Where Elba fits
One HTML file, AES-256-GCM, no network. Runs in Chrome or Edge on your work laptop. No install and no admin rights required, which is a real practical point on managed firm machines.

#### FAQ
- **Is this enough for solicitor-client privilege?** — Encryption at rest supports the reasonable-care standard most bars require. It does not on its own satisfy every jurisdiction — check yours.
- **Can I show a client the source?** — Yes — right-click the HTML file, view source. It becomes fully open in 2030 by license.

---

### Where journalists keep source documents that must never touch a server
*Cluster D — The professional queries. Keyword: “journalists source documents never touch server”.*
URL: https://elba.works/answers/encrypt-journalist-source-documents

For source material that must not be reachable by subpoena of your provider, by breach of your provider, or by an internal misconfiguration at your provider, the answer is that no provider has a copy. Everything lives on one machine (ideally airgapped for the most sensitive), encrypted at rest, with a backup on physical media stored elsewhere.

#### The threat model this addresses
Legal process against a cloud provider (they hand over what they have). Provider breach. Provider policy change. Casual OS indexing. It does not address a targeted attacker with physical access to your machine while unlocked, or coercion — those need different measures.

#### The workflow
Bring source material to the machine on physical media. Put it in a folder. Seal the folder. Work with the material by unsealing briefly, then re-sealing. Back up the sealed bundle to an encrypted external drive kept somewhere else.
Elba's shape fits: one HTML file, no install, no network, source in the file. On an airgapped machine, verifying zero network calls is a single tab in DevTools.

#### FAQ
- **Should I use SecureDrop instead?** — For receiving submissions, SecureDrop is the right tool. Once material is on your machine, an encrypted local folder is the storage side of the same practice.
- **What about Signal Note-to-Self?** — Fine for pointers and short strings. For actual source documents, Signal is not a storage system.

---

### Encrypted client notes for therapists and clinicians without a compliance headache
*Cluster D — The professional queries. Keyword: “encrypted client notes therapists clinicians hipaa”.*
URL: https://elba.works/answers/clinician-encrypted-notes-hipaa

For therapists, private-practice clinicians, and small-clinic staff: your legal obligations (HIPAA in the US, similar regimes elsewhere) are broader than 'encrypt the notes'. You need audit logs, breach notification, business associate agreements, and access controls. A local encrypted folder is the storage side of that; it does not replace an EHR that meets your regulator's specific list.

#### What a sealed local folder helps with
Interim notes between EHR entries. Working files for supervision. Draft correspondence. Templates. Scanned intake forms in transit to the EHR. Anything that would otherwise sit in Downloads or on a desktop.

#### What it does not help with
Long-term ePHI storage in a HIPAA-compliant system, with audit trails and access logs. That is the EHR's job, and no encrypted-file-vault claim replaces it.

#### Elba's role
One HTML file, AES-256-GCM, no network. Runs on any Chromium browser without admin rights — practical on shared clinic machines. Use it for the interim category above, and use your compliant EHR for the primary record.

#### FAQ
- **Is Elba HIPAA-compliant?** — 'HIPAA-compliant' is a property of workflows, not files. Elba's encryption meets the technical safeguards standard; the administrative and physical safeguards are yours. We do not sign BAAs — Elba processes nothing on our end because there is no server.
- **Can I use it for the primary record?** — Not recommended — you'd lose the audit trail your regulator expects.

---

### How freelancers keep NDA-covered work off their sync services
*Cluster D — The professional queries. Keyword: “freelancer nda work off sync services”.*
URL: https://elba.works/answers/freelancer-nda-work-off-sync

An NDA that says 'no third-party cloud storage' means iCloud, Dropbox, and Google Drive are off the table for the material in scope. The clean answer is one folder that lives outside every sync directory, sealed at rest, backed up to an encrypted external drive. Everything else — invoices, generic work — can stay in your normal workflow.

#### The split
One directory tree for NDA work, outside iCloud/Dropbox/Drive. Encrypted at rest. Backed up manually to an external drive.
Everything else in your normal cloud folder. The NDA does not care about your invoicing.

#### The tool
Elba is one HTML file. Seals the NDA folder into a bundle. AES-256-GCM. No account, no server, no telemetry. Nothing to declare on a security questionnaire beyond the primitive used.

#### FAQ
- **Can I put the sealed bundle in Dropbox?** — Read the NDA carefully. 'No cloud storage of the material' usually means no — even encrypted, some clients treat any copy on a cloud provider as a violation.
- **What about backups?** — An encrypted external drive kept at home is the standard fit. USB sticks work for smaller folders.

---

### A confidential folder for HR documents on a company laptop
*Cluster D — The professional queries. Keyword: “hr confidential folder company laptop encryption”.*
URL: https://elba.works/answers/hr-confidential-folder-work-laptop

HR keeps material that is confidential on multiple levels — from the employee to the manager, from the manager to the rest of the team, from all of them to the wider org. IT owns the disk, so drive-level encryption is their problem. Folder-level encryption, on top, is how you keep even legitimate machine access from becoming a discretion violation.

#### What's usually in this folder
Draft PIPs, exit paperwork, salary bands, medical accommodations, complaints in progress. All of it needs to be reachable to you and only you (or your specific HR peer), during the time you're actively working on it.

#### The setup on a managed laptop
Elba is one HTML file — no install, no admin rights, no browser extension. Approved software policies rarely block 'open a downloaded HTML file'. Seal the folder, work in it, re-seal when done.

#### FAQ
- **What if IT policy forbids third-party software?** — An HTML file is a document, not an installed program. Most policies distinguish. When in doubt, ask IT — the answer is often 'yes, that's fine'.
- **Can IT still open the sealed folder?** — No — even IT cannot read the ciphertext without your passphrase.

---

### Cluster E — The movement queries

### What is local-first software, explained without the developer jargon
*Cluster E — The movement queries. Keyword: “what is local first software plain language”.*
URL: https://elba.works/answers/local-first-software-plain-language

Local-first software is a shape of software where the primary copy of your data lives on your device, not on a company's servers. The cloud is a backup and a sync convenience, not the source of truth. The practical test: does the app still work fully if the internet goes away and the company that made it disappears? If yes, it is local-first. If no, it is a cloud service dressed in a desktop icon.

#### Why the distinction matters
In cloud-first software, your files are hostages. When the company changes pricing, deprecates features, closes down, or is compelled to hand over data, you inherit the consequences. In local-first software, you have a copy. The company can go away. The file will still open.

#### The trade you make
Local-first often means less real-time collaboration. It usually means you set up your own sync. It always means you're responsible for backups. In exchange: durability across decades, no rent, no telemetry, no policy risk.

#### Where Elba sits
Elba is a local-first file vault. One HTML file that seals a folder with AES-256-GCM. Never touches the network. Becomes open source in 2030 — so the software itself is local-first in a way even the makers can't take back.

#### FAQ
- **Is local-first the same as offline-first?** — Related but not identical — offline-first also works without network, but its data model may still be cloud-native.
- **Who coined the term?** — Ink & Switch popularised it in a 2019 essay that is worth reading in full.

---

### File over app: why your data should outlive every program that touches it
*Cluster E — The movement queries. Keyword: “file over app data outlive program”.*
URL: https://elba.works/answers/file-over-app

'File over app' is a slogan borrowed from the Obsidian community and worth adopting more broadly: your data belongs in a plain, open, human-readable file, and the app is just something that opens it. When the app is gone, the file is still there. When the format is proprietary, the app going away takes the file with it.

#### The practical test
Can you open the file in a text editor and see something meaningful? If it's a markdown note, yes. If it's a Notion export or a proprietary .journal binary, no. The test isn't 'is it perfect', it's 'is there a path'.

#### How this plays with encryption
Encryption looks like the opposite of 'file over app' — a sealed bundle isn't human-readable. It isn't, until you decrypt it; and then it's plain markdown or plain PDFs. The vault's job is to make the plaintext files unavailable when they should be unavailable, not to replace them with a proprietary container.
Elba's format is deliberately boring: AES-256-GCM, PBKDF2, a standard header. Any competent programmer can implement a reader in a few hundred lines — and after 1 January 2030 the reference implementation is public.

#### FAQ
- **Doesn't every app want lock-in?** — Yes — which is why 'file over app' is a discipline, not a default.
- **What formats are safe?** — Plain text, markdown, PDF/A, standard image formats, and standard audio/video codecs. Avoid anything only one app opens.

---

### Digital sovereignty for one person — not nations, not enterprises, you
*Cluster E — The movement queries. Keyword: “digital sovereignty one person individual”.*
URL: https://elba.works/answers/digital-sovereignty-for-one-person

'Digital sovereignty' shows up in EU policy papers, in Amsterdam's Digital Autonomy Strategy, in national procurement rules. It is almost always framed at the scale of a government or a large enterprise — 'we should not be dependent on foreign cloud providers for critical services'. The same logic scales down. If it is unwise for a city to hand its citizen records to a single overseas provider, it may be unwise for one person to hand their entire private life to the same provider, in the same conditions.

#### The individual case
You depend on a small number of large companies for your email, your files, your photos, your notes, your calendar, your passwords. Each dependency is a policy risk (they may change what they do), a legal risk (they may be compelled to hand over what they hold), and a continuity risk (they may disappear or lock you out).
You cannot un-depend from all of them at once. You can pick one — often the file layer — and step off, and be more careful about the rest.

#### One folder as a sovereignty pilot
Pick the folder that would hurt most if it were leaked. Move it off the cloud. Encrypt it at rest. Back it up on media you own. That single folder — sovereign by every meaningful test — is a small proof that the setup is possible; extending it later is easier.
Elba is built for that one folder: local, encrypted, no account, no server, becomes open source in 2030.

#### FAQ
- **Isn't this what nation-state sovereignty is about?** — Same idea, different scale. The technical shapes and the ethical arguments line up.
- **Do I have to pick a European provider?** — You don't have to pick any provider at all for this specific folder. That's the whole point.

---

### 'Nothing to hide' is the wrong question — the right one is 'whose business is it?'
*Cluster E — The movement queries. Keyword: “nothing to hide wrong question whose business”.*
URL: https://elba.works/answers/nothing-to-hide-wrong-question

The 'if you have nothing to hide, you have nothing to fear' argument has a rhetorical trick baked in: it frames privacy as concealment, and concealment as suspicious. But we don't close the bathroom door because we're hiding anything, and we don't envelope a letter because the contents are criminal. The right question is not 'what are you hiding?' — it's 'whose business is this?'

#### The reframe
There are things that are yours, and things that are not — writing you're not ready to show anyone, a photo taken in a moment that was meant for one other person, a diary, a health worry, an idea half-formed. None of them are hidden in the shameful sense. All of them are none of anyone else's business unless you make them so.

#### What this looks like in software
Software that treats your files as its business — indexing them, sending previews, training on them — has answered 'whose business is it?' with 'ours'. Software that treats your files as yours doesn't need to make the case; it just doesn't touch them.
Elba is the second kind. One HTML file that seals a folder locally. No account, no telemetry, no upload. Nothing about your files is any of our business.

#### FAQ
- **Doesn't privacy sometimes shield bad behaviour?** — Sometimes. So does the right to a lawyer. That's a reason to design well-scoped exceptions, not to abolish the norm.
- **What should I do with this framing?** — Try it on the next tool that asks for broad access. 'Whose business is it?' cuts through more marketing copy than any other question.

---

### What is Mortalware? Software with a date its ownership dies
*Cluster E — The movement queries. Keyword: “what is mortalware software ownership dies date”.*
URL: https://elba.works/answers/what-is-mortalware

Mortalware is software licensed with a scheduled end-date to its private ownership. On that date, the source code becomes public, the last version becomes free, and no company can revoke that. It is the opposite of abandonware — abandonware is what happens when a company forgets; mortalware is what happens when a company plans.

#### Why this shape exists
Most commercial software is a treadmill: buy today, buy an update, buy the next major version, or subscribe forever. Mortalware acknowledges that the value the maker adds — new features, active development — is finite and time-boxed, and that the software eventually should belong to the people who use it. The date is fixed in advance and written into the license.

#### Elba as an example
Elba's license names 1 January 2030 as the mortality date. The price falls every year until then. On that date, the source code is public and the last paid version is free. Nothing about that is contingent on the company still existing — it is a property of the file you already own.

#### FAQ
- **Is this the same as open source?** — Not until the mortality date. Before it, the source is inspectable in the file but is not licensed for redistribution. After it, standard OSI-style open source.
- **Why not just make it open source now?** — Because paying the makers between now and 2030 is what buys their attention. The date is the deal.

---

### Why some software now promises to become open source on a schedule
*Cluster E — The movement queries. Keyword: “software becomes open source scheduled date”.*
URL: https://elba.works/answers/software-becomes-open-source-on-schedule

A small number of vendors — us included — write a date into the license: on this day, the source code becomes public. The reasoning is economic and ethical in equal parts. Economically, it makes 'buy this now' fair: you pay for the years of active development, and after that the software belongs to the community. Ethically, it says out loud that a paid closed product should have a horizon, not a moat.

#### Where scheduled OSS fits well
Tools with a well-scoped job and a clear finish line. Encryption tools, file formats, small utilities — things that will be useful long after the maker has moved on. The date guarantees the utility outlives the shop.

#### Where it fits less well
Big platforms whose value depends on continuous new features. There, the treadmill logic actually holds — nobody wants a 'liberated' version of a product whose whole point is the current version.

#### FAQ
- **Isn't this just delayed open source?** — Yes — that's the description. The novelty is naming the delay in advance.
- **What if the company changes hands?** — The license transfers with the company. Written commitments to licensors survive acquisitions.

---

### The case for buying software once and owning it forever
*Cluster E — The movement queries. Keyword: “buy software once own forever no subscription”.*
URL: https://elba.works/answers/buy-software-once-own-forever

For thirty years the norm was 'buy the box, own the software'. For the last ten it has been 'pay every month, or the software stops'. Both models can be honest — subscription pays for continuous work; perpetual license pays for a finished thing. The question is which shape fits which kind of software.

#### What subscription earns
Cloud infrastructure. Cross-device sync. Real-time collaboration. Continuous engineering. If you use those, the subscription is fair. Nobody keeps the servers running for free.

#### What perpetual license earns
Durability. Ownership. The right to not upgrade. The right to keep using the version that works. The freedom to walk away from the company and keep your tool.

#### Elba's shape
One-time purchase. Price falls every year until 1 January 2030, when the source becomes free. You own the file. No account, no server-dependency, no upgrade nag.

#### FAQ
- **Do I get updates?** — For the current major version, yes. You never pay again for what you bought.
- **Is this a good model for everything?** — No — for team collaboration platforms, subscription is honest. For a personal encryption tool, perpetual license is the right fit.

---

### Why a privacy tool with an account is a contradiction in terms
*Cluster E — The movement queries. Keyword: “privacy tool account contradiction terms”.*
URL: https://elba.works/answers/privacy-tool-with-account-contradiction

An account is a record — with your email address, your IP, your usage pattern, your billing history — held by the company you are trusting with your privacy. That record can be subpoenaed, breached, joined against other records, or used by the company itself as a policy decision changes. For a general-purpose service the tradeoff is fine; for a tool whose whole job is your privacy, it is a design contradiction.

#### What accounts unavoidably hold
Even a well-intentioned zero-knowledge service still knows: that you have an account, when you log in, from where, how much data you have (approximately), and often a family tree of every device you've used. None of that is your files; all of it is a shape you've handed over.

#### The alternative
A tool that requires no login, holds no record, and does not know you exist between one use and the next. Payment happens once, in a way that does not tie a receipt to a usage database. This is Elba's shape: buy the file, use the file, no account anywhere.

#### FAQ
- **Aren't accounts convenient?** — Yes — that's why they're common. Convenience and privacy trade off; a privacy tool should pick privacy.
- **How do you handle updates without an account?** — You come back and download the newer file when you want to. Nothing checks in from your side.

---

### Cluster F — The trust queries

### How to verify a downloaded file with SHA-256 checksums, step by step
*Cluster F — The trust queries. Keyword: “verify sha256 checksum downloaded file step by step”.*
URL: https://elba.works/answers/verify-sha256-checksum-step-by-step

A SHA-256 checksum is a short fingerprint of a file. If you compute the fingerprint of your download and it matches the fingerprint the vendor publishes, you know the file wasn't corrupted or swapped on the way to you. It doesn't prove the vendor is honest — it proves you got what they meant to send.

#### On macOS
Open Terminal. Type `shasum -a 256 ` (with the trailing space), then drag the downloaded file into the terminal window. Press Enter. Compare the 64-character output to the one on the vendor's page.

#### On Windows
Open PowerShell. Type `Get-FileHash 'C:\path\to\file'` (or drag the file after typing `Get-FileHash `). Press Enter. Compare the Hash output to the one on the vendor's page.

#### On Linux
Open a terminal. Type `sha256sum /path/to/file`. Compare to the vendor's published hash.

#### What the check proves
It proves the file is byte-identical to the file the vendor named. It does not prove the vendor is trustworthy — that's a separate question. For Elba, the published SHA-256 is on the /verify page.

#### FAQ
- **What if the checksums don't match?** — Don't run the file. Redownload it (network glitch), or check that you're comparing the right published hash for the right version.
- **Is SHA-256 still secure?** — Yes — no practical collisions and the primary hash used in modern software distribution.

---

### How to check for yourself that a program makes no network connections
*Cluster F — The trust queries. Keyword: “check program makes no network connections verify”.*
URL: https://elba.works/answers/check-program-no-network-calls

You don't have to take our word for it. You can verify that Elba (or any browser-based tool) makes zero network requests using the browser's built-in Network tab. And you can verify that a running process opens no sockets using your OS's built-in tools. Both take about a minute.

#### In the browser (works for Elba and any HTML tool)
Open the Elba HTML file in Chrome or Edge. Press F12 to open DevTools. Click the Network tab. Refresh the page. Perform every action you're curious about — set a passphrase, seal a folder, unseal. The Network tab should stay empty (except for the HTML file itself if you refresh). If it isn't empty, that is a request you did not agree to.

#### At the OS level
macOS: `lsof -i -P` in Terminal lists open network connections. Run it while the tool is active. Linux: `ss -tunp`. Windows: `netstat -abno` in an elevated PowerShell.

#### FAQ
- **Why should I check when the vendor says so?** — Because 'trust but verify' is the whole point of security. Elba is happy to be checked; the verification is trivial.
- **What if I see a request?** — Read it. Legitimate reasons exist (font from a CDN in some pages), but for a privacy tool, no requests should exist at all.

---

### PBKDF2 vs Argon2, explained for people who just want to choose a good passphrase
*Cluster F — The trust queries. Keyword: “pbkdf2 vs argon2 explained choose good passphrase”.*
URL: https://elba.works/answers/pbkdf2-vs-argon2-choose-passphrase

PBKDF2 and Argon2 are both key-derivation functions — they take your passphrase and stretch it into a key in a way that is deliberately slow, so a brute-force attacker has to spend real time on every guess. Argon2 is newer and also memory-hard, which makes attacks with specialised hardware more expensive. For a personal file vault, both are strong when configured well, and your passphrase length matters more than the choice between them.

#### PBKDF2, in plain terms
Take the passphrase. Hash it. Hash the result. Hash the result again. Do that hundreds of thousands of times. Only then use the output as the key. The high iteration count is what makes guessing slow.

#### Argon2, in plain terms
Same idea, but also forces the computation to use a lot of memory. Special guessing hardware (ASICs, GPUs) is good at parallel hashing; being memory-hard makes those attacks much more expensive per guess.

#### What Elba uses and why
Elba uses PBKDF2 with 600,000 iterations, via the browser's audited WebCrypto implementation. Argon2 is stronger in principle but is not in WebCrypto and would require shipping a WASM implementation, which we chose not to do — the tradeoff is 'audited native primitive vs stronger primitive with more code to trust'. A strong passphrase makes the difference academic.

#### The passphrase advice
Four or five random words from a large list (diceware or similar) is the honest advice. It resists offline attack against either PBKDF2 or Argon2 for any reasonable time budget.

#### FAQ
- **Is PBKDF2 broken?** — No. Slower to configure aggressively and less GPU-resistant than Argon2, but not broken.
- **Should I care which one my tool uses?** — Care that a KDF is used with sensible parameters. Beyond that, worry about your passphrase length first.

---

## Colophon
This knowledge base is generated on request from the live content on https://elba.works. It is the same text that appears on the public site, gathered into a single Markdown file so AI crawlers, LLM indexers, and readers can consume it without JavaScript. Attribution appreciated but not required; source becomes MIT on 1 January 2030.
