Yopass Alternative: Managed Secret Sharing with XChaCha20

How Yopass works

Yopass encrypts your secret in the browser using OpenPGP with AES-256 via the openpgp.js library. The decryption key is part of the URL fragment, so the server only stores ciphertext. It's a zero-knowledge architecture. The server handles storage and expiry but can't read what's stored.

The project has been active since 2014. It's open source under the Apache 2.0 license with over 2,700 GitHub stars. The backend is written in Go and the frontend uses React. Organizations including Spotify have used it internally.

The self-hosting advantage

Yopass is designed to run on your own infrastructure. Docker, Docker Compose, Kubernetes, Helm charts, or a standalone Go binary. Storage backends include Memcached and Redis for secrets, with disk or S3 options for file storage.

If your security policy requires that secrets never leave your network, self-hosting is the answer. You control the servers, the storage, the retention, and the access logs. No third party involved. For teams with strict compliance requirements or air-gapped environments, that matters.

There's also a hosted demo at yopass.se, but the project recommends self-hosting for sensitive use.

The self-hosting cost

Running Yopass means maintaining infrastructure. You need a server, a Memcached or Redis instance, TLS certificates, Docker image updates, and monitoring. If the Memcached instance fills up or Redis goes down, secrets become unavailable. If you forget to update, you're running old dependencies.

For teams that already operate their own infrastructure and have the capacity to maintain another service, this is fine. For teams that want to share a credential with a contractor without standing up a stack, it's overhead.

Where the tools differ

The core difference is operational. Yopass is self-hosted. Secret.Broker is managed. You don't run servers, update images, or maintain storage backends.

The encryption is different too. Yopass uses OpenPGP with AES-256. The current key derivation uses iterated SHA-256 (S2K type 3) with an auto-generated 22-character passphrase. An upgrade to Argon2-based derivation is in progress. Secret.Broker uses XChaCha20-Poly1305 with Argon2id key derivation. See the protocol page for details.

Yopass defaults to 1 MB file uploads (limited by Memcached). With disk or S3 backends you can raise that limit, but it requires configuration. Secret.Broker supports files up to 20 MB out of the box.

Yopass offers one-time or unlimited views with expiry at 1 hour, 1 day, or 1 week. Secret.Broker offers view limits from 1 to 25 with expiry from 15 minutes to 30 days. Paranoid mode splits the link and decryption key for two-channel delivery.

When to use each

If your team needs secrets to stay on your own network and you have the infrastructure capacity, Yopass is a solid choice. It's mature, well-maintained, and the self-hosting documentation is thorough. The CLI tool is useful for scripting and CI/CD pipelines.

If you want to send someone a credential without running anything, Secret.Broker handles the infrastructure. Your browser does the encryption. The server stores ciphertext it can't read. When the link is opened or the time runs out, the data is deleted.

See sharing passwords for the full walkthrough, or onboarding credentials for the contractor scenario.

Feature comparison

• Yopass: client-side OpenPGP (AES-256), open source (Apache 2.0), self-hosted, Docker / K8s / Helm / binary, Memcached or Redis, files 1 MB default (configurable), one-time or unlimited views, expiry 1h / 1d / 1w, CLI tool, multi-language UI
• Secret.Broker: client-side XChaCha20-Poly1305, managed service, files up to 20 MB, view limits 1-25, expiry 15 min to 30 days, paranoid mode, no account, no infrastructure

For a broader look at how secret-sharing tools compare, see the alternatives comparison.

Also compare: vs scrt.link and vs Password Pusher.

Common questions