How does this service work?

This page allows you to share a secret through a secret sharing link.
The secret is stored in the secret sharing link and not on the server.
A secret sharing link can only be used once.

Short description of this service.

This secret sharing service is based on GPG encryption. When creating a new secret sharing link, the secret itself is encrypted via GPG. The result of the GPG encryption is URL-safe Base64 encoded and prepended with the URL of this website. When the secret sharing link is called, the URL-safe Base64 encoded GPG message is decrypted and the result of the decryption is displayed on the website. Additionally, the fingerprint of the URL-safe Base64 encoded GPG message is stored in a database to prevent it from being displayed more than once.

You can build your own secret sharing link by following some basic steps.

Get the correct public key.

First of all you have to retrieve the correct public key to encrypt your secret:

gpg --recv-keys --keyserver "hkps://" "4339D8517CD93D4129550A4360358F32A8549955"

Encrypt the secret you want to share.

To create a secret sharing link you have to do certain steps that are decribed here:

  1. encrypt the secret via GPG
  2. Base64 encode the encrypted secret
  3. remove line breaks
  4. apply URL-safe Base64 encoding:
    • remove equation signs
    • replace "+" with "-"
    • replace "/" with "_"
  5. prepend the secret sharing URL

All of these steps can be executed using a single shell command:
echo "secret"                                                                     | # the secret you want to share
gpg --recipient "4339D8517CD93D4129550A4360358F32A8549955" --output - --encrypt - | # encrypt the secret via GPG
openssl base64                                                                    | # Base64 encode the encrypted secret
tr -d "\n"                                                                        | # remove line breaks
tr -d "="                                                                         | # remove equation signs
tr "+" "-"                                                                        | # replace "+" with "-"
tr "/" "_"                                                                        | # replace "/" with "_"
awk '{print "" $0}'                                    # prepend secret sharing URL


...just use the secret sharing form we provide for your convenience.

Short description of the password-protection feature.

When using the password-protection feature, the secret is encrypted locally using the AES algorithm in GCM mode. The encryption key is derived from the entered password and a dynamically generated salt using the PBKDF2 algorithm. The dynamically generated salt is prepended to the encrypted secret. The password-protection feature is implemented using client-side JavaScript. Please beware that a compromised server may serve you JavaScript code that defeats the purpose of the local encryption. If you do not trust the server that provides the secret sharing service, then encrypt your secret with a locally installed application before sharing it.