How zero-knowledge secret sharing works

Plaintext stays in your browser.

The server stores only encrypted data.

The key travels in the link fragment and never reaches us.

1. You paste a secret in your browser.
2. Your browser generates a fresh AES-GCM-256 key and encrypts the secret.
3. We store only the ciphertext, tagged with a random token and an expiry.
4. The URL you share contains the token in the path and the encryption key in the URL fragment (after the #).
5. The fragment is never sent to our server. Only the recipient's browser sees it.
6. When the recipient opens the link, their browser fetches the ciphertext, decrypts it locally, and we delete the record.

1. You create a request. Your browser generates an X25519 keypair. Only the public key is uploaded.
2. You get two links. One to share with the sender, one retrieval link for yourself. Your private key lives only in the retrieval link's fragment.
3. The sender opens their link, pastes the secret. Their browser derives a shared secret via X25519 and HKDF-SHA256, then encrypts with AES-GCM-256.
4. The server stores only the ciphertext, the sender's ephemeral public key, and the nonce.
5. You open your retrieval link. Your browser derives the same shared secret, decrypts, and the server deletes the record.

A compromised server, a nosy employee, or a lawful-intercept order cannot read your secret. We never hold the key.

URL fragments are not transmitted in HTTP requests, they live only in the browser's address bar. That is why we put the key there.

Secrets self-destruct after one successful read or when the lifetime expires. Either way, the ciphertext is deleted from our database.

The backend and the browser crypto are open source. Read the code, run it locally, or host your own instance.

Source code: gitlab.erseni.net/open-source/secrets-component

Architecture notes and threat model: docs/architecture.md

Browser crypto uses the native window.crypto.subtle API. No third-party crypto library.

AES-GCM-256: A symmetric encryption algorithm using a 256-bit key. GCM mode provides both confidentiality and authentication, so any tampering with the ciphertext causes decryption to fail.

X25519: A modern key agreement algorithm. Two parties each generate a keypair, exchange public keys, and independently derive a shared secret that no one else can compute without one of the private keys.

HKDF-SHA256: A key derivation function. It turns a shared secret (from X25519) into a uniform, fixed-length key suitable for AES-GCM.

URL fragment: The part of a URL after the #symbol. Browsers keep fragments local and never send them in HTTP requests. That is why we put encryption keys there.

Zero-knowledge: An architecture where the server cannot read user data even if it wanted to. Only the client holds the keys needed to decrypt.