Best Secret Sharing Tools Compared
Nine tools for sharing passwords, API keys, and files through one-time links. What each encrypts, where it encrypts, and what it costs.
Last updated: May 2026
What this page covers
Every tool on this list does the same thing at a surface level: you paste a secret, get a link, send it, and the secret self-destructs after the recipient reads it. The differences are underneath. Some encrypt in your browser before anything leaves your machine. Others send the plaintext to a server, encrypt it there, and hand it back when the link is opened.
That distinction matters. With server-side encryption, the server processes your secret in readable form. With client-side encryption, it never does. The comparison table below shows which tools fall on which side of that line.
What to look for
- Where encryption happens. Client-side means the server never sees plaintext. Server-side means it does, even if briefly.
- Whether the code is auditable. Open-source tools let you verify encryption claims. Closed-source tools ask you to trust them.
- File support. If you share .env files, SSH keys, or certificates, text-only tools force you to paste raw contents.
- Account requirements. Some tools require a login to create a link. Others let you paste and share without signing up.
- Self-hosting. Running the tool on your own infrastructure removes trust in a third-party server entirely.
Feature comparison
| Tool | Encryption | Algorithm | Open source | Files | Account | Self-host | Free tier |
|---|---|---|---|---|---|---|---|
| Client-side encryption (zero-knowledge) | |||||||
| 1time.io | Client-side | AES-256-GCM | Yes (MIT) | Yes (10 MB) | No | Yes | Free |
| Bitwarden Send | Client-side | AES-256 | Yes | Yes | Yes (sender) | Yes | Yes (all plans) |
| scrt.link | Client-side | AES-256-GCM | Yes (MIT) | Yes (10 MB free) | No | Yes | Yes |
| Secret.Broker | Client-side | XChaCha20-Poly1305 | No | Yes (20 MB) | No | No | Free |
| Yopass | Client-side | OpenPGP | Yes (Apache 2.0) | Yes | No | Yes | Free |
| Server-side encryption | |||||||
| OneTimeSecret | Server-side | Per-secret keys | Yes (MIT) | No | No | Yes | Yes |
| Password Pusher | Server-side | AES-256-GCM | Yes (Apache 2.0) | Yes (paid) | No | Yes | Yes |
| Privnote | Server-side | Undisclosed | No | No | No | No | Free |
| SafeNote | Claims E2E | Undisclosed | No | Yes | No | No | Free |
Client-side encryption
1time.io
Lightweight, developer-oriented secret sharing. Encrypts in the browser with AES-256-GCM using HKDF-SHA256 key derivation via the Web Crypto API. The encryption key stays in the URL fragment and never reaches the server. Supports text and file sharing up to 10 MB.
Open source under MIT. The backend is Go with Redis storage, deployable via Docker Compose. No account required, no paid tier. Minimal by design.
Bitwarden Send
Part of the Bitwarden password manager ecosystem. Encrypts with AES-256 client-side using a 128-bit secret key per Send, expanded via HKDF-SHA256. The encryption key is in the URL fragment. Recipients don't need an account to open the link.
Senders need a Bitwarden account (free tier works). Available on web, mobile, desktop, browser extensions, and CLI. File and text Sends are included on all plans. Open source. Self-hostable via the official deployment or Vaultwarden.
scrt.link
Swiss-hosted secret sharing with client-side AES-256-GCM encryption. The key is generated in the browser and embedded in the link fragment. Supports text, files, redirects, and visual formats (Snap, Neogram). Optional password protection adds an authentication layer.
Free tier includes text and files up to 10 MB. Paid plans from $1/month add API access, larger file limits (up to 100 GB on the top tier), and read receipts. Open source under MIT. Self-hostable via Docker.
Secret.Broker
Encrypts in the browser with XChaCha20-Poly1305 via libsodium before anything reaches the server. The decryption key goes into the URL fragment, which browsers never include in server requests. The server stores ciphertext it cannot decrypt.
Files up to 20 MB are compressed and encrypted with the same cipher. View limits from 1 to 25. Expiry from 15 minutes to 30 days. Paranoid mode splits the link and decryption key for two-channel delivery. No account, no ads, no tracking.
Not open source. The client-side code is inspectable via browser developer tools. The protocol page documents the full encryption stack. Not self-hostable.
Yopass
Self-hosting-first secret sharing. Encrypts client-side with OpenPGP. The decryption key never leaves the sender's and recipient's browsers. Supports text and file sharing with streaming encryption.
Free, open source under Apache 2.0. Docker, Docker Compose, and Kubernetes deployment. Read-only retrieval mode available. No accounts, no tracking. Active since 2014 with over 60 releases. Minimal interface by design.
Server-side encryption
OneTimeSecret
One of the original one-time secret tools. Uses server-side encryption with per-secret unique keys. Decryption keys are stored on application servers rather than in the database as a defense-in-depth measure. Passphrases are hashed with bcrypt.
Regional data storage across the EU, US, Canada, UK, and New Zealand. Compliance-oriented with SOC 2, GDPR, CCPA, and HIPAA positioning. Free tier includes one custom domain, 14-day expiry, and API access. Paid plans from EUR 35/month for branding and extended features. Open source under MIT. Self-hostable via Docker.
Password Pusher
The most feature-rich server-side option. Encrypts at rest with AES-256-GCM. Supports passwords, text, files, and URL pushing. View limits up to 100, expiry up to 90 days, audit logging, API, CLI, and browser extensions. Available in 31 languages.
Free for basic password sharing without an account. Premium at $19/month adds file attachments, branding, and auto-dispatch emails. Pro at $29/month adds team collaboration, custom domains, and white-labeling. Open source under Apache 2.0. Self-hostable on Docker, Kubernetes, Heroku, and other platforms.
Privnote
The most widely recognized name in one-time notes. Server-side encryption with an undisclosed algorithm. Closed source. Text only, single-view limit, ad-supported. No file attachments, no configurable expiry, no API.
Has a documented phishing clone problem. Because the interface is minimal, fake clones exist that log or modify note contents before delivery. Free, no account required. Not open source, not self-hostable.
SafeNote
Shares files and notes via self-destructing links. Also offers a secure email feature with attachments. Claims end-to-end encryption, but the specific algorithm and architecture are not publicly documented. The encryption model cannot be independently verified.
Free, no account required. Not open source. A purchasable script exists for self-hosting, but the code is not freely available. Includes file uploads and secure email delivery.
The line that matters
Every tool on this list creates a disposable link. The workflow is nearly identical. The difference is what the server can see while it holds your secret.
With server-side encryption, the server processes your secret in readable form, encrypts it, stores it, then decrypts and delivers it when the recipient opens the link. If the server is compromised at any point in that cycle, the plaintext is exposed.
With client-side encryption, the browser encrypts before upload. The server stores ciphertext without the key. Even a compromised server yields nothing readable.
Both approaches work. The question is where you want to place your trust.
Common questions
Which tool is the most secure?
Security depends on the threat model. If you don't want the server to see your secret at all, use a tool with client-side encryption. If you need compliance certifications and regional data residency, a server-side tool like OneTimeSecret may fit better. If you want full control, self-host an open-source option.
Should I self-host?
Self-hosting removes trust in a third-party server. It also means you handle updates, uptime, and key management. If your team has the infrastructure experience and the threat model justifies it, self-hosting an open-source tool is the strongest trust position. If not, a client-side encryption tool shifts most of the risk without the ops burden.
What about password managers with sharing features?
Password managers like Bitwarden and 1Password have built-in sharing. Bitwarden Send is on this list because it works as a standalone one-time link tool. Full-vault password managers are designed for persistent credential storage and team sharing, which is a different use case from disposable one-time links.
Are free tools safe to use?
Free doesn't mean insecure. Several tools on this list are free and open source with well-documented encryption. The question is what funds the free tier. Ad-supported tools run third-party scripts on the page where you paste your secret. Open-source community projects and freemium tools avoid that problem.