A few months ago I found myself auditing a side project and noticed something uncomfortable: I was storing sensitive user preferences, cart data, and session tokens in localStorage — completely in plaintext. Anyone with DevTools open could read it in two seconds. The obvious fix is "just encrypt it." But when I went looking for a library that actually did this well, I kept running into the same problems: heavy dependencies, weak key derivation, or APIs that felt bolted on as an afterthought. So I built tessera . What tessera does One passcode. All your browser storage — localStorage , sessionStorage , IndexedDB , and cookies — encrypted with AES-256-GCM. The key is derived from PBKDF2-SHA-256 at ≥ 310,000 iterations (the OWASP 2024 minimum), and it never leaves the Web Crypto engine as raw bytes. The API is a drop-in replacement for the storage APIs you already use: import { Tessera } from ' @mrtinkz/tessera ' ; const vault = await Tessera . unlock ( ' abc123 ' ); await vault . local .…