How Encrypted Secret Sharing Works
What you're trusting, and what you don't have to.
What this is
You have a password or an API key that needs to get to someone else. After they've read it, you need it to stop existing.
You paste the secret and set how long it lasts. You get a link. They open it, read the secret, and then it's gone.
Why it's built this way
You paste a password into Slack, or Teams, or an email. Now it's in a search index, a compliance archive, a backup, and an admin console. Two years from now it's still sitting there, readable by anyone with the right access.
How encryption works here
Your secret gets encrypted on your own machine before it goes anywhere. Your browser does it with XChaCha20-Poly1305 through libsodium.
The key is after the # in the URL. Your browser doesn't send that part to the
server, so I never have it.
What I can't do
I can't read your secret, and if you lose the link, I can't recover it. What I store is encrypted and I don't have the key. The FAQ covers more of the common questions.
When it ends
Once the link is opened, or the time or view limit is reached, the encrypted data is deleted.
On trust
The system is designed so trust isn't required. I don't have the key, so I can't read your secret.