$ resume

Thanks for your interest in my work.

I don't post my resume publicly. If you'd like a copy, drop a note via the contact form and I'll send you a link with a one-time passcode.

---

$ unlock

Already received an ID and passcode? Enter them below.

id passcode $ decrypt

---

$ how this works

• → passcode lives in the url fragment. the share link uses #id.passcode, not ?id=...&passcode=.... browsers never send the part after # to the server, so it stays out of s3 access logs and isn't leaked via the referer header when you click an outbound link from the decrypted page. the page also strips the fragment from your address bar after load so it doesn't end up in screenshots or browser history previews.
• → aes-gcm with a per-file random salt and iv. the encrypted blob carries a fresh 16-byte salt and 12-byte iv. gcm is authenticated, so a wrong passcode fails loudly (the browser throws) rather than handing back garbage that pretends to be a pdf.
• → unguessable id + robots.txt is the anti-crawler layer. the encrypted file sits at /encrypted-resumes/<id>.bin with a random id, and robots.txt disallows that path. that's enough to keep well-behaved crawlers and casual url-guessers out. the passcode is the actual lock.
• → pbkdf2-sha256, 250k iterations. the passcode is stretched into the aes key with pbkdf2 so each guess costs real cpu time. that's enough friction to make a long random passcode infeasible to brute-force, but a 4-character one is still cheap — let the encrypt tool generate the 12-character default.
• → filename and mime type are inside the encrypted payload. the original filename and content-type are stored as part of the ciphertext, not as separate metadata. on decrypt, the download link restores both, so .pdf, .docx, or anything else round-trips correctly. only pdf-ish files preview inline in the iframe; everything else is download-only.