Secrets

How It Works

Overview

Secrets uses end-to-end encryption to ensure your sensitive data is never exposed. The encryption happens entirely in your browser. The server only stores encrypted blobs it cannot decrypt.

Step-by-Step Process

Creating a Secret

  1. You paste your secret. It stays in your browser.
  2. Generate encryption key. A random 256-bit AES key is generated in your browser using the Web Crypto API.
  3. Encrypt locally. Your secret is encrypted using AES-256-GCM. A unique IV (initialization vector) is generated for each secret.
  4. Upload ciphertext. Only the encrypted blob is sent to the server. The server cannot decrypt it.
  5. Get shareable link. The link contains the token (server-side identifier) and the encryption key (client-side, never sent to server).

Viewing a Secret

  1. Recipient clicks link. The token and key are parsed from the URL fragment (#).
  2. Fetch ciphertext. The browser requests the encrypted blob from the server using the token.
  3. Server deletes after retrieval. The encrypted data is immediately deleted from the database after being sent.
  4. Decrypt in browser. The encryption key (from the URL fragment) is used to decrypt the ciphertext locally.
  5. Display secret. The plaintext is shown only to the recipient.

Client-Side Responsibilities

  • Generating encryption keys
  • Encrypting and decrypting all secrets
  • Keeping the encryption key in the URL fragment (never sent to server)

Server-Side Responsibilities

  • Storing encrypted ciphertext temporarily
  • Deleting secrets after retrieval or expiration
  • Enforcing TTL (time-to-live) limits
  • Providing encrypted blobs on request (one-time only)

Why URL Fragments Matter

The encryption key is placed in the URL fragment (the part after #). This fragment is never sent to the server in HTTP requests. Only your browser sees it. This ensures zero-knowledge architecture.

Encryption Details

  • Algorithm: AES-256-GCM
  • Key size: 256 bits (32 bytes)
  • IV size: 96 bits (12 bytes), randomly generated per secret
  • Key derivation: Direct random generation via Web Crypto API
  • Encoding: Base64URL for URL-safe transmission

What We Don't Do

  • We don't store plaintext secrets
  • We don't log IP addresses
  • We don't track users
  • We don't decrypt your data
  • We don't have access to encryption keys