Hide encrypted data inside ordinary images.
A privacy-focused desktop steganography tool built with Electron, React, and TypeScript.
Veilo is a research-grade steganography application for macOS, Windows, and Linux. It encrypts your files with AES-256-GCM and embeds them invisibly inside the pixels of an ordinary-looking image — a photo that looks completely normal to anyone who opens it, but secretly contains a password-protected backup of your data.
It started as an independent research project and proof-of-concept around modern steganographic techniques, so alongside the core "hide a backup in a picture" workflow, it also ships a full experimentation suite: multiple embedding algorithms, automated benchmarking, PSNR/SSIM image-quality analysis, and chart-driven research dashboards for comparing them.
 |
 |
| Vault lock screen — AES-256-GCM + PBKDF2 | Encode result — PSNR/SSIM + compression stats |
 |
 |
| Dashboard overview | Restore — pick a project's encoded carrier directly |
 |
 |
| Experiment Center — automated algorithm/format sweeps | Research Dashboard — PSNR, encode time, success-rate charts |
Save the screenshots into
docs/screenshots/using the filenames above (lock-screen.jpg,dashboard.jpg,encode-result.jpg,restore-from-project.jpg,experiment-center.jpg,research-dashboard.jpg) before pushing — they aren't committed yet.
- AES-256-GCM encryption with PBKDF2 key derivation (600,000 iterations) — random salt + IV generated per backup
- Multiple embedding algorithms — LSB Sequential, LSB Randomized (seeded PRNG), LSB Edge-based, DCT (quantized mid-frequency coefficient), and DWT (integer Haar wavelet coefficient parity)
- Any image format in, lossless PNG out — drop in a JPG, BMP, TIFF, or GIF carrier and Veilo transcodes it automatically
- Multi-file backups — add files incrementally; they're bundled, gzip-compressed, then encrypted as one payload
- Split a backup across multiple images — automatic carrier selection greedily fills available capacity and divides the payload between several images, reconstructed by re-supplying all of them during restore
- Drag-and-drop for both files and carrier images, with real OS file paths (not just simulated)
- Per-file SHA-256 hashing on add, re-verified on restore
- Backup integrity verification — re-decode an already-encoded carrier and confirm every file's hash still matches, without writing anything to disk
- Corruption detection with a clear per-file pass/fail report
- Tags, full-text search, grid/table views, and sortable columns (name, size, date, etc.)
- Project metadata tracked automatically: creation/modified dates, file count, original size, encoded size, carrier count
- Export project metadata (JSON), a human-readable backup report (HTML), or a reusable project configuration template
- Experiment Center — sweep algorithms × image formats × payload sizes in one run, with PDF/HTML/JSON export
- Benchmarks — encode/decode speed, throughput, and storage efficiency (bytes embedded per pixel) per algorithm
- Research Dashboard — Recharts-powered graphs: payload size vs. PSNR, encode time vs. payload size, recovery success rate, algorithm radar comparison
- Steg Explorer — visualize exactly which pixels were modified via an LSB heatmap
- PSNR/SSIM image-quality metrics computed on every encode
- Master-password vault with auto-lock, password change, and key rotation (with fingerprint display)
- Dark/light/system themes, native macOS traffic-light window controls, fully resizable layout
- "Delete all data" panic switch, on-page tabbed Settings (General / Security / Encryption / Notifications / Storage)
| Layer | Tech |
|---|---|
| Shell | Electron 28 (contextIsolation, no nodeIntegration) |
| UI | React 18 + TypeScript, React Router, Zustand |
| Styling | Tailwind CSS with a custom dark-first design system |
| Image processing | Jimp (decode/encode/transcode, pixel-level LSB/DCT/DWT) |
| Crypto | Node crypto — AES-256-GCM, PBKDF2-SHA256 |
| Charts | Recharts |
| Reports | jsPDF + jspdf-autotable |
| Persistence | electron-store (separate stores for auth, projects, settings, experiments) |
git clone https://github.com/Neerav-Gupta/veilo.git
cd veilo
npm install
npm run devnpm run dev compiles the Electron main process from TypeScript and starts both the Vite dev server and Electron concurrently. On first launch you'll be asked to set a master password — this derives the vault's encryption key, so there's no recovery if you forget it (by design).
# Build for your current platform and produce an installer in dist-electron/
npm run dist
# Or just produce an unpacked app directory (faster, no installer)
npm run packCross-platform notes:
- macOS → macOS: builds a
.dmg. Without an Apple Developer ID the build is unsigned, so Gatekeeper will warn on first launch (right-click → Open to bypass). - macOS → Windows: electron-builder can cross-compile an NSIS installer from macOS, but the result is also unsigned — Windows SmartScreen will warn similarly. You cannot run/test a Windows build on macOS; only Windows or Wine can execute it.
- App icon comes from
build/icon.png(1024×1024) — replace it and rebuild to rebrand.
veilo/
├── electron/ # Main process (TypeScript, compiled to .js before run)
│ ├── main.ts # Window creation, app lifecycle
│ ├── preload.ts # contextBridge — the only surface exposed to the renderer
│ └── ipc/ # One module per domain: auth, projects, files, steganography, encryption, settings
├── src/
│ ├── pages/ # Dashboard, NewBackup, Restore, Projects, ProjectDetail, Settings, Experiments, Benchmarks, ResearchDashboard, StegExplorer
│ ├── components/ # Shared UI (Layout, TopNav, Notifications, ui/*)
│ ├── store/ # Zustand app store
│ └── types/ # Shared TypeScript types
├── build/icon.png # Source app icon (electron-builder generates .icns/.ico from this)
└── docs/screenshots/ # README screenshots
- Encryption: AES-256-GCM with a random 32-byte salt and 16-byte IV per backup, layout
[salt][iv][authTag][ciphertext] - Key derivation: PBKDF2-SHA256, 600,000 iterations
- The vault password is never stored — only a derived hash used to verify unlock attempts
- This is a research/proof-of-concept project. It has not been independently audited — don't rely on it as your only backup of anything irreplaceable.
MIT