Encrypted Pastebin – One-Time Secret Sharing

E2EE Burn-After-Read Zero-Knowledge
Create Encrypted Secret
Your secret is encrypted in your browser before upload. You get a URL and password — share them via different channels.
We email only the URL — share the password separately.
Encrypted with AES-256-GCM before upload. 0 characters
Please enter secret content before creating.
Reminder: only share secrets you're authorized to transmit. Never share your master passwords or 2FA recovery codes.
Result
Enter your secret and click Create Encrypted Secret to generate a secure link.

How It Works

Process

  1. Encrypt locally. Your browser runs AES-256-GCM on the secret before any network call.
  2. Upload ciphertext. Only encrypted bytes leave your machine.
  3. Receive URL + password. A short link and a 16-character random password.
  4. Share separately. Send the URL by email and the password by Slack/SMS.
  5. Recipient views. They open the link, click reveal, paste the password, the browser decrypts.
  6. Burns. By default the link is single-use and is deleted from the database on first reveal.

Security Properties

  • AES-256-GCM: authenticated encryption with 256-bit keys.
  • Client-side only: Web Crypto API; no plaintext or password ever leaves your browser.
  • Random IV: fresh 96-bit IV per encryption, prepended to ciphertext.
  • CSPRNG password: crypto.getRandomValues.
  • Atomic burn: single conditional SQL UPDATE enforces the view cap race-free.
  • Generic 410 on miss: expired vs. burned vs. invalid all return the same response — no shortcode-guessing oracle.

Real-World Use Cases

DevOps & IT

  • SSH private keys
  • API keys for cloud services
  • DB credentials for contractors
  • Kubernetes secrets

Remote Work

  • VPN credentials
  • Temporary passwords for new hires
  • Wi-Fi passwords
  • 2FA backup codes

Client Communications

  • FTP/SFTP credentials
  • CMS admin passwords
  • License/activation keys
  • Client portal accounts

Security & Compliance

  • Incident-response credentials
  • Encryption keys
  • Audit reports w/ sensitive findings
  • Compliance doc passwords

Best Practices

Do

  • Use separate channels for URL and password.
  • Verify recipient identity before sharing.
  • Send when the recipient is ready to act.
  • Test once with a non-sensitive value if unsure.
  • Clear original plaintext from your clipboard after sharing.

Don't

  • Share your password-manager master password here.
  • Send URL + password in the same message.
  • Use this for long-lived credentials.
  • Share 2FA recovery codes — store them, don't transmit.

FAQ

How do I send a password securely over email?

Don't put the password in the email itself. Use a one-time encrypted link: paste the password here, get a short URL and a separate random password, then email the URL and send the password through a different channel (Slack, SMS, phone). The link self-destructs after the first view.

What is a one-time secret?

A one-time secret is an encrypted message stored at a short URL that can be opened only once. After the first read the server deletes the record and any later visit returns 410 Gone. It's the standard way to share passwords, API keys, and credentials without leaving them in chat history or inboxes.

How does burn-after-read work?

When the recipient clicks Reveal, the server atomically increments a view counter and — if the configured cap (default 1) is reached — deletes the database record before serving the ciphertext. Any subsequent visit returns a generic 410 Gone, so the secret cannot be replayed.

What's the safest way to share API keys with a teammate?

Generate a one-time encrypted link, set view cap to 1 (burn after read), email the URL, and send the random password through Slack or SMS. Rotate the key after they confirm receipt. Never paste API keys into a chat message, ticket, or git commit — those persist forever.

How long does the secret link last?

You choose: 5 minutes, 1 hour, 24 hours (default), or 7 days. Whichever happens first — expiry timeout or view cap — destroys the secret. Recipients see a generic 'no longer available' message after that; expired, burned, and invalid all return the same 410 response to avoid a shortcode-guessing oracle.

Is this a free OneTimeSecret or PrivateBin alternative?

Yes. Same core model as OneTimeSecret and PrivateBin — encrypted one-time links — but free, with no signup, no email required, no rate limits, and AES-256-GCM via the browser's native Web Crypto API. The server only ever sees ciphertext.

Is it actually end-to-end encrypted?

Yes. Encryption runs in your browser with AES-256-GCM before any network call. A 16-character random password is hashed with SHA-256 to derive the AES key, a fresh 96-bit IV is generated per encryption, and only the ciphertext + IV are uploaded. The server never sees plaintext or password.

Do I need an account to use it?

No. No account, no email required (optional notification only), no tracking on the secret view page, and no limit on the number of secrets you can create. Just paste, share, done.

Support This Free Tool

Every coffee helps keep the servers running. Every book sale funds the next tool I'm dreaming up. You're not just supporting a site — you're helping me build what developers actually need.

500K+ users
200+ tools
100% private
One-time support Buy me a coffee 📚 Learn & support 9-Book Bundle - $9 𝕏 Stay updated Follow @anish2good
Privacy Guarantee: Private keys you enter or generate are never stored on our servers. All tools are served over HTTPS.