← ← All Tools
中文

🕵️ Image Steganography

Hide secret messages inside images entirely in your browser with LSB (least-significant-bit) steganography, optional AES-GCM-256 encryption (PBKDF2-SHA-256 100k rounds), and optional gzip compression — output is always lossless PNG. Live capacity meter, accepts JPEG/PNG/WebP/BMP covers (JPEG triggers a warning, alpha auto-flattened to white), round-trip self-verify after embedding confirms the payload will decode. Extract distinguishes three states clearly: no-payload / wrong-password / corrupted. Four upload paths (drag / paste / gallery / camera), bilingual zh/en UI, 44px mobile touch targets, iOS Safari 16MP canvas guard. Client-side processing; images and passwords are not uploaded by the tool.

🔒 In-browser processing — images and passwords are not uploaded by the tool

Mode

① Choose Cover Image

Drop an image, click to choose, or paste with Ctrl+V

PNG recommended (lossless). Supports JPG / WebP / BMP; max 25 MB; max 16 MP (iOS canvas cap)

③ Security Options (optional)

Encryption uses AES-GCM-256 + PBKDF2-SHA-256 (100,000 iterations). Strength hint appears below once you type.

💡 What this is / what it protects / what it does not

LSB steganography hides your secret inside the least-significant bits of each pixel's RGB channels. It's invisible to the naked eye, but anyone who knows the exact algorithm can read it back.

What this tool DOES protect:

  • Casual inspection: The stego image looks identical to the original.
  • Confidentiality (with password): AES-GCM-256 encryption ensures that even if someone knows there's a payload, they can't read it without the password.
  • Integrity: AES-GCM's built-in auth tag fails if the stego image has been modified.

What this tool DOES NOT protect:

  • Forensic steganalysis: Statistical attacks (chi-square, RS-analysis) can detect that LSBs were modified — this is an inherent limitation of naive LSB.
  • Social media re-compression: WeChat / Twitter / Instagram / iMessage re-encode PNGs as JPEG or downscale them — this destroys the payload.
  • Screenshots or re-saves: Right-click-save is lossless; screenshots, in-app screen grabs, and compressed messengers destroy the data.

Recommendation: always encrypt for sensitive content, and share via direct file transfer (email attachment, direct download link, USB).

More tools you might find useful.

🔐
AES Encrypt/Decrypt
Client-side AES encryption and decryption with GCM, CBC, and CTR modes, PBKDF2 passphrase derivation and raw key input — keys are not uploaded by the tool
🔐
BCrypt Hash Generator & Verifier
Client-side BCrypt password hash toolkit with three tabs: Generate (cost 4-15, $2a/$2b/$2y version selector, 3 output formats), Verify (auto-parses cost/version with OWASP guidance), and Inspect (dissect any bcrypt hash into prefix/cost/salt/hash). Real-time 72-byte truncation warning, progress bar, cancel button, and mobile-friendly chip controls.
🔐
DES / 3DES Encrypt & Decrypt
Client-side DES and 3DES (2-key/3-key) encryption & decryption with zero dependencies. Supports five modes (ECB/CBC/CFB/OFB/CTR) and five padding schemes (PKCS#7/Zero/ANSI X.923/ISO 10126/No Padding). Independent encoding switchers for Key/IV/Input/Output (Hex/UTF-8/Base64), real-time byte-length hints, built-in NIST test vectors, persistent deprecation banner (DES 2005, 3DES Jan 2024), and K1/K2/K3 key visualization. For education and legacy interop only — keys and plaintext are not uploaded by the tool.
#️⃣
Hash Generator
MD5 & SHA Hash Calculator
🔐
HMAC Calculator
Client-side HMAC calculator with SHA-1/256/384/512, UTF-8/Hex/Base64 key formats, text & file input, and HMAC verification

Free online image steganography tool — hide secret messages inside images. Runs in your browser with LSB (least-significant-bit) encoding, optional AES-GCM-256 encryption via WebCrypto API (PBKDF2-SHA-256, 100,000 iterations) and optional gzip compression. Output is always lossless PNG. Live capacity meter, automatic round-trip self-verify after embedding, extract distinguishes three error states clearly: no-payload / wrong-password / corrupted. Accepts JPEG / PNG / WebP / BMP covers (JPEG triggers warning, alpha auto-flattened to white). Four upload paths (drag / paste / gallery / camera), bilingual zh/en, 44px mobile touch targets, iOS Safari 16MP canvas guard. Images and passwords are not uploaded by the tool.