This guide walks you through encrypting your first HTML file.
pip install pagevault
Requires Python 3.10 or higher.
Create example.html:
<!DOCTYPE html>
<html>
<head>
<title>My Page</title>
<style>
body { font-family: sans-serif; margin: 2rem; }
</style>
</head>
<body>
<header>
<h1>Welcome</h1>
<p>This is public content everyone can see.</p>
</header>
<main>
<h2>Public Section</h2>
<p>More public information here.</p>
<h2>Protected Section</h2>
<pagevault hint="Contact me for the password">
<p>This content is encrypted. Visitors need the password to see it.</p>
<p>Only the section inside <pagevault> gets encrypted.</p>
<p>Everything else (header, navigation, scripts) stays public.</p>
</pagevault>
</main>
<footer>
<p>Public footer.</p>
</footer>
</body>
</html>
Create .pagevault.yaml in your project:
pagevault config init
This generates a configuration file with:
Check the generated config:
pagevault config show
pagevault lock example.html
This creates _locked/example.html with the marked content encrypted.
Open _locked/example.html in your browser. You’ll see:
.pagevault.yamlBefore encryption:
example.html
├── Header (public)
├── Navigation (public)
├── <pagevault> section (encrypted by pagevault)
└── Footer (public)
After encryption:
_locked/example.html
├── Header (public)
├── Navigation (public)
├── <pagevault> (now encrypted AES-256-GCM)
└── Footer (public)
└── + Web Component + JS runtime (decryption logic)
By default, pagevault encrypts what you mark with <pagevault> tags. You can be more selective:
Mark specific elements using CSS selectors:
pagevault mark example.html -s ".private" --hint "Staff only"
This wraps all elements with class="private" in <pagevault> tags.
pagevault mark example.html -s ".private" -s "#secret"
If your HTML has no <pagevault> tags, pagevault marks the entire body:
pagevault lock example.html
# Encrypts entire <body> content
Unencrypted content: <head>, navigation, external scripts.
Edit .pagevault.yaml and change the password:
password: "new-strong-password"
Re-encrypt files:
pagevault lock example.html
This creates a new encrypted version with the new password.
Instead of storing password in .pagevault.yaml, use an environment variable:
export PAGEVAULT_PASSWORD="my-secret-password"
pagevault lock example.html
# Doesn't require .pagevault.yaml
pagevault lock example.html -p "temporary-password"
To restore the original file (with <pagevault> tags still in place):
pagevault unlock _locked/example.html
Creates _unlocked/example.html with content decrypted but still marked.
Encrypt all HTML files in a directory:
pagevault lock src/pages/ -r
# Processes all .html files recursively
# Output: _locked/src/pages/
Specify output directory:
pagevault lock src/pages/ -r -d public/encrypted/
# Output: public/encrypted/
If you’re building a Hugo blog:
<pagevault> markershugo -o build/pagevault lock build/posts/ -rbuild/_locked/Example script:
#!/bin/bash
hugo -o build/
pagevault lock build/posts/ -r --css assets/pagevault.css
rsync -av build/_locked/ deploy/
The password prompt is styled by default, but you can customize it:
Create a CSS file, e.g., styles/pagevault.css:
pagevault {
--bg-color: #f5f5f5;
--text-color: #333;
--button-bg: #007bff;
--button-hover: #0056b3;
}
pagevault-prompt {
font-family: 'Comic Sans', cursive; /* Just kidding! */
}
Apply when encrypting:
pagevault lock example.html --css styles/pagevault.css
pagevault mark example.html --title "Premium Content" --hint "Check your email"
pagevault lock example.html
See Configuration for all options:
remember: How long to store passwords (session/local/never)auto_prompt: Whether to show password prompt automaticallytitle: Label for encrypted sectionsusers: Multi-user encryptionAfter encrypting files, you can inspect and verify them without decrypting.
Use info to see encryption details without a password:
pagevault info _locked/example.html
This shows the encryption algorithm, number of encrypted regions, ciphertext sizes, viewer information, and other metadata.
Use check to test whether a password is correct:
pagevault check _locked/example.html -p "your-password"
# Exit code 0 = correct, 1 = incorrect
This performs a fast key verification without decrypting the full content. Useful for scripting and CI/CD pipelines.
Run audit to check your configuration for common issues:
pagevault audit
The audit checks password strength, salt quality, whether .pagevault.yaml is in .gitignore, and integrity of managed files. Fix any reported issues to improve your security posture.
Q: Where does pagevault output files?
A: By default, _locked/ for encrypted HTML and _unlocked/ for decrypted. Use -d to specify.
Q: Why doesn’t my selector work? A: Make sure the CSS selector is valid and matches elements in your HTML. Test with your browser’s DevTools.
Q: Can I encrypt an already-encrypted file? A: Yes! pagevault supports composable encryption. Decrypting then re-encrypting is also fine.
Q: How do I share encrypted content? A: Upload the encrypted HTML to your static host and share the password separately (email, Discord, docs, etc.).
Q: Is there a way to distribute different passwords for different sections? A: Use multi-user encryption. See Configuration.
Ready to encrypt? Pick your use case and try it out!