Decrypt your ThriveTracker export

Open the encrypted JSON file you exported from the app.

1. Export file (.json)

Click to choose, or drag a thrivetracker-export-*.json file here.

2. Your export password

Download-only mode (recommended) — never paint the decrypted text into the page. Goes straight from memory to a downloaded file. Hides the content from any browser extension that can read the page DOM.

Decrypted data

How safe is this tool, and how to make it safer

What this page does to protect you:

All decryption runs in your browser, using the built-in Web Crypto API. There is no server-side decryption.
Strict Content-Security-Policy with connect-src 'none' — the browser physically blocks any network request from this page. Even a bug in our code couldn't exfiltrate your file or password.
No images, no analytics, no third-party scripts. The page only loads itself.
"Download-only mode" (default) keeps the decrypted text out of the page DOM entirely — extensions can't read what they can't see.
Your passphrase is converted to a Uint8Array before key derivation and the array is zeroed in memory after the key is derived. The text input is also cleared.
The page source is short and human-readable. Right-click → View Source — you'll see the entire crypto path.

For maximum safety, run this page offline:

Right-click this page → Save Page As → save the HTML to your disk.
Disconnect from Wi-Fi / put your machine in airplane mode.
Open the saved HTML file (the URL bar will read file://...).
Decrypt as normal. There is no network, no Firebase, no CDN — pure local computation.

This is the strongest mode: even if our hosting were compromised in the future, your saved copy is unaffected.

Residual risks even with all of the above:

Browser extensions you've granted full-page access to can still read the password field as you type. Use a clean / private browsing window if this matters.
JavaScript strings (the original input value) are immutable — we zero what we can, but a copy may briefly linger in V8's heap until garbage collection.
If you choose "Download as plain JSON", that file goes to your Downloads folder unencrypted — by your request. Delete or move it somewhere safe when you're done.

What format is this file?

The exported file is a JSON envelope shaped like this:

{
  "format": "thrivetracker-export-v1",
  "algorithm": "AES-256-GCM",
  "kdf": "PBKDF2-HMAC-SHA256",
  "kdfIterations": 600000,
  "saltBase64": "...",
  "ivBase64": "...",
  "ciphertextBase64": "..."
}

Your passphrase is run through PBKDF2-HMAC-SHA256 with the salt to derive a 256-bit AES key. That key is used with AES-GCM (auth tag included) and the IV to decrypt the ciphertext. The format is open — a 30-line Python script does the same thing.