Exploit Google Photos Unlimited Storage. Hide files inside videos. Extract them back out—Encrypt them in between.
A self-contained, interactive Bash CLI for byte-append steganography — no dependencies beyond standard Unix tools, runs on Linux, macOS, and Android (Termux).
- Overview
- Screenshots
- How It Works
- Features
- Requirements
- Installation
- Usage
- Configuration
- Security & Limitations
- Usage Case
- Contributing
- License
Mp4Vault is an interactive command-line tool that hides any file inside a video file by appending it to the end of the video's data, and can later pull that file back out again. The payload can optionally be encrypted with AES-256-CBC before it's hidden, so even if someone finds it, they can't read it without your passphrase.
Everything runs through a guided menu — no flags to memorize, no manual byte-math.
Navigate to Usage and Usage Case for more details.
Mp4Vault uses a technique sometimes called cat-append steganography:
- The payload (your file, optionally encrypted) is appended directly onto the end of a carrier video file.
- Most video players and parsers stop reading once they reach the end of the actual video stream, so the carrier still plays completely normally — the extra bytes just ride along, invisible to anything that isn't looking for them.
- To get the payload back out, Mp4Vault needs to know exactly where the original video ended. That number — the carrier's original byte size — is your Offset Key, and it's printed once, right after you hide a file.
Be honest with yourself about what this is. This is concealment, not cryptographic-grade steganography. It doesn't hide data inside the video's pixels or audio samples — it just tacks data onto the end of the file. The file size increases by exactly the payload size, and that's trivially detectable by anyone who checks. Encryption (which Mp4Vault offers) protects the contents if discovered; it does not hide the fact that something was appended.
- 🎬 Hide any file type inside any video file — no transcoding, no quality loss
- 🔐 Optional AES-256-CBC + PBKDF2 encryption of the payload before hiding
- 🖥️ Fully interactive, menu-driven — pick options by number, no CLI flags
- 📱 Cross-platform: Linux, macOS, and Android via Termux
- 📦 Auto-detects missing dependencies and offers to install them (apt / pkg / pacman / dnf / brew)
- ⚡ One-time system-wide install on Termux — launch with just
mp4vaultfrom anywhere - 📋 Paginated file browser with human-readable sizes
- 🛡️ Built-in guards: disk space checks, overwrite confirmation, can't accidentally clobber the carrier video
| Tool | Required? | Purpose |
|---|---|---|
bash 4.3+ |
✅ Required | Uses namerefs (local -n) |
file |
✅ Required | Detects video files by MIME type |
realpath (coreutils) |
✅ Required | Path resolution |
awk |
✅ Required | Progress bars, math, formatting |
openssl |
✅ Required | AES-256 encryption / decryption |
figlet |
✅ Required | ASCII-art banners |
Missing tools are detected automatically on first run, and VaultForge will offer to install them for you via whichever package manager it finds.
git clone https://github.com/nostafobic-dev/mp4vault.git
cd mp4vault
chmod +x mp4vault.sh
./mp4vault.shmacOS note: the system
bashis version 3.2, which is too old. Install a newer one and run with it explicitly:brew install bash /opt/homebrew/bin/bash mp4vault.sh # Apple Silicon /usr/local/bin/bash mp4vault.sh # Intel
pkg update -y && pkg upgrade -y
termux-setup-storage
pkg install git -y
git clone https://github.com/nostafobic-dev/mp4vault.git
cd mp4vault
chmod +x mp4vault.sh
./mp4vault.shOn first run inside Termux, VaultForge will offer to copy itself into
$PREFIX/bin so you can launch it from any folder afterward just by typing:
mp4vaultRun the script and follow the prompts:
To hide a file:
- Choose mode
[1] Hide file(s) inside a video - Pick a folder to scan, then select a carrier video from the list
- Select the file you want to hide (zip it first if it's more than one file)
- Optionally set a passphrase to encrypt it
- Choose an output location and filename
- Save the Offset Key (and passphrase, if used) that Mp4Vault prints. Without the Offset Key, the hidden file cannot be recovered.
To extract a file:
- Choose mode
[2] Extract hidden file from a video - Select the video containing the hidden payload
- Enter the Offset Key (and passphrase, if it was encrypted)
- Choose where to save the recovered file
Default behavior can be changed by editing the config block near the top of
mp4vault.sh:
| Variable | Default | Description |
|---|---|---|
CONFIG_FILE |
${HOME}/.mp4vault.conf |
Saves important info |
ENCRYPT_PAYLOAD |
true |
Offer AES-256 encryption before hiding by default |
SHOW_SIZES |
true |
Show file sizes next to filenames in lists |
PAGE_SIZE |
20 |
Files shown per page before pagination |
VERBOSE |
true |
Print extra diagnostic messages |
- The Offset Key isn't a secret by itself (it's just a file size), but it's required for correct extraction — losing it means losing the hidden file, even if you remember the passphrase.
- Without encryption enabled, anyone who has the carrier file and the offset
can recover the hidden file with nothing more than
tail -c. - This technique is detectable by simple means (file size comparison, inspecting the end of the file). Treat it as casual concealment, not forensic-proof hiding.
- MKV/WebM containers are more likely to reject files with trailing appended data than MP4/MOV — VaultForge warns you, but MP4/MOV is the safer carrier choice.
- Use responsibly, and don't rely on this as your only copy of anything important — always keep a separate backup of files before hiding them.
I created this tool out of curiosity, but it quickly became a useful solution for my personal file backup workflow.
The main goal of this project is to provide a free and secure way to backup important files by hiding them inside media files.
You might ask:
«Why hide a file inside a video?»
The reason is an interesting behavior I discovered in Google Photos.
If you append a file to an image or video without encryption and upload it to Google Photos, the extra data may be removed because the service processes the file based on its actual media structure.
However, if the hidden file is encrypted first, Google Photos treats the additional data as part of the media file and keeps it intact.
There is one major limitation: Google Photos has upload size restrictions for photos and videos.
- 🖼️ Images (".jpg", ".png"): around 500 MB upload limit
- 🎥 Videos (".mkv"): supports much larger uploads (tested successfully with 10 GB+ files)
Because of this, videos are the preferred container format for this tool.
🚀 Backup Method
For users with unlimited Google Photos storage, this can act as a long-term backup method:
- Take a normal ".mkv" video file (for example, 1 GB)
- Use this tool to encrypt and inject your files into the video
- Upload the generated video to Google Photos
- When needed, download the video
- Use the extraction process to recover your original files
Your files remain hidden inside the video while being stored as a normal media file.
🔐 Why Encryption?
Encryption ensures the hidden data is not detected or removed during upload processing. The encrypted payload becomes indistinguishable from normal binary data attached to the media file.
This makes the method useful for storing:
- Personal backups
- Archives
- Important documents
- Private files
📦 Tested
- ✅ Image/video container method
- ✅ Encrypted file injection
- ✅ Extraction after upload/download cycle
- ✅ Tested with ZIP archives up to 10 GB+
This project is intended as a simple, free backup technique using existing cloud storage.
Issues and pull requests are welcome. If you're submitting a PR:
- Fork the repo and create a branch (
git checkout -b feature/your-feature) - Test your changes on at least one supported platform
- Run
shellcheckagainst the script before submitting - Open a PR describing what changed and why
Distributed under the MIT License. See LICENSE for the full text.



