Zero-Knowledge Encryption: Your message is encrypted locally before it is sent.
mBox.pl Security Stack
Every message is encrypted on the client side and ready to share securely with a single link.
Security
Content and key stay exclusively on your side. The server stores only an encrypted payload.
Technology
A modern cryptographic standard combines confidentiality and integrity to detect tampering attempts.
Privacy
No profiling, no data sales, and no activity tracking. You decide what to share and with whom.
mBox.pl is a modern tool created for secure sharing of sensitive information in a digital world. Whether you are sending a banking password, an API token, or a confidential company document, mBox.pl guarantees that no one - including us - can read your message.
The key to our system is client-side encryption. This means your data is secured directly in your browser before it even reaches the network. It is the simplest, fastest, and safest way to transfer data, without creating an account or installing software.
Below is a visual summary of the Zero-Knowledge model and the encryption process before data is sent.
mBox.pl bases its security on the Zero-Knowledge model. In practice, this means the mBox.pl server is only a "blind courier". It receives an encrypted data package but never has the key required to open it. This key is generated locally by the sender and becomes part of a unique link (the fragment after #), which is never sent to our systems.
Encryption itself uses the banking-grade AES-256-GCM standard. This modern cryptographic algorithm guarantees confidentiality (no one can view the content) and integrity (no one can modify the message in transit). If anyone attempts to alter the encrypted payload, the recipient will not be able to decrypt it.
An additional layer of protection is the self-destruct rule. You can set the message to be permanently removed from the server according to selected rules.
This ensures that confidential information does not stay online a second longer than necessary, eliminating the risk of a later leak.
With client-side encryption, your secret never reaches the server in readable form.
Generate a secure link with one click. No registration and no email required.
Full control over data lifetime. Data disappears permanently.
Banking-grade encryption standards protect your message from tampering.
mBox.pl is a security tool. We do not profile users and we do not track activity.
Zero-Knowledge encryption means the decryption key never leaves your browser. The server stores only encrypted data and has no physical ability to read it. Unlike classic solutions where an admin may access content, here even the server owner cannot learn the message content.
WhatsApp offers end-to-end encryption, but messages remain in chat history on both devices. Anyone with phone access can read them later. mBox.pl allows expiration after one read or time limit, eliminating future leak risk.
Most email servers do not encrypt messages end-to-end. Email can be stored on intermediate servers, in sender and recipient mailboxes, and in backups. Mail admins, hosting providers, or people with account access can read contents. mBox.pl encrypts data locally before sending and deletes it after reading.
No. The decryption key is only in the link (URL fragment after #), which is never sent to the server. The server stores only an encrypted data package that cannot be decrypted without the key.
Google Drive and Dropbox do not encrypt data in Zero-Knowledge mode by default - the provider has key access. Files remain in the cloud long-term and require an account. mBox.pl encrypts data locally, requires no registration, and messages expire automatically after reading or time limit.
The "1 view" option causes the message to be permanently deleted from the server immediately after first read. The recipient cannot open it again and the link stops working. It's ideal for sending passwords or one-time tokens.
The decryption key is placed in the URL hash fragment (after #). Browsers never send this part of the address to the server. You can verify this in browser dev tools (Network tab) - no HTTP request contains the key.
Corporate messengers store message history on servers accessed by organization admins and the platform provider. Messages can be archived, indexed, and retained for compliance. mBox.pl stores no metadata about content and deletes data after the selected time.
AES-GCM (Galois/Counter Mode) is a modern cryptographic standard combining encryption (AES) with authentication (GCM). It not only hides content but also detects any tampering attempts. If someone tries to modify the encrypted message, decryption fails with an error.
Password managers have varying encryption quality and don't always offer burn-after-reading or short expiration times. mBox.pl is an independent tool you can use to share any data (not just passwords), without installing apps or creating accounts.
We store only minimal technical logs necessary to prevent attacks (e.g., IP, request time). However, we do not log the contents of your messages or decryption keys, because we cannot see them. Technical logs are regularly purged.
Due to Zero-Knowledge architecture, we have no way to recover your message or key. If the link is lost, the content will remain encrypted on the server until expiration time, after which it will be permanently deleted.
Yes. Every attachment is encrypted in your browser before sending with the same key as the text message. The recipient downloads the encrypted file, which is decoded locally on their device.
Yes. The mBox.pl project implements 'Privacy by Design' and 'Privacy by Default' principles. We minimize data collection, and thanks to end-to-end encryption, we are not the administrator of your message content because we have no access to it.
Basic mBox.pl features are and always will be free. In the future, we plan to introduce Premium accounts for businesses, offering larger file limits, SMS notifications, and dedicated team panels.