Protect your seed phrase.

Encrypt your seed phrase so the same backup decrypts two ways: your real wallet for you, a plausible decoy dust wallet anywhere the backup leaks. If a cloud sync, a lost device, or a stolen archive ends up in someone else's hands, what they recover is the decoy. Your real holdings stay invisible. Everything runs in your browser.

Protect Restore
๐Ÿ”’ Everything runs in your browser. Your seed phrase is never sent anywhere. Learn more
When you'd use this. Cloud-syncing your seed-phrase backup where a breach could expose it. Storing a wallet backup on a device a roommate, partner, or relative might find. Pre-positioned decoys for known scenarios where a device might be lost, stolen, or surrendered. Anywhere a regular encrypted backup leaves you with no good answer if the bytes leak.
1 Step 1 of 3

Your real seed phrase

This is your actual crypto wallet recovery phrase. 12 or 24 words.

โœ“ Not sent anywhere. Stays in your browser.

2 Step 2 of 3

Your decoy seed phrase

This is what an attacker recovers when the backup leaks. Use an old or empty wallet's seed phrase.

โœ“ This is what an attacker will see. Pick something believable.

3 Step 3 of 3

Set your passwords

Choose a strong password. You'll need this to access your real seed phrase.

โœ“ Passwords are never stored. Used once to encrypt, then discarded.

You'll receive: 1 encrypted backup (.enc) + 1 control file (.ctrl) + 1 decoy control file (.ctrl)
How you'll use these files
1

Store the encrypted file.

Save the ciphertext. It's safe. Without a control file and your passwords, it's meaningless data.

2

Keep both control files separate.

The real control file goes somewhere only you can access. The decoy control file goes somewhere plausible. A notes app. A drawer. Somewhere an attacker would find it.

3

When the bytes leak, the decoy is what they recover.

They decrypt your backup with the decoy control file. They see a wallet with dust. They walk away satisfied. You sleep fine.

Made a mistake? No problem. There's no account, no state. Encrypt again as many times as you need.

Zero knowledge. Zero trust required.

This page runs entirely in your browser. Your seed phrase is never transmitted, stored, or logged. Not by us, not by anyone.

deny.sh is open source: SDK is Apache 2.0, application layer is AGPL-3.0. Read every line.

Need to restore from a backup? Restore tool. Split your control file? Shamir's Secret Sharing. Hide it in a photo? Steganography.