End-to-end encrypted secret sharing. Zero trust required.
Send passwords, API keys, and sensitive text to anyone β encrypted in your browser before it ever touches a server. The passphrase never leaves your device.
π Try it live
Most secret-sharing tools ask you to trust that the server isn't logging your data. This one doesn't. Here's why:
Every line of source code is public. This app is built on Val Town, where the code that runs the server is the code you can read β no hidden build steps, no compiled bundles, no deploy pipeline that could inject anything. What you see at stevekrouse/secret-share is exactly what runs when you use the app.
That means you can verify:
- β
The passphrase is never sent to the server β check
client/app.tsxandshared/crypto.ts - β
The server only stores ciphertext, IV, and salt β check
server/db.ts - β
The API never receives or returns plaintext β check
main.ts - β Encryption uses AES-256-GCM with PBKDF2 key derivation (600K iterations, SHA-256) via the Web Crypto API β no homebrew crypto
- β
The client-side code served to your browser is the same source file from this repo, transpiled by
esm.townwith no bundler in between
Even the app's author cannot read your secrets. The database contains only encrypted noise without the passphrase.
Rendering mermaid diagram...
| Layer | Detail |
|---|---|
| Encryption | AES-256-GCM (authenticated encryption) |
| Key Derivation | PBKDF2 with SHA-256, 600,000 iterations |
| Salt | 128-bit random per secret |
| IV | 96-bit random per secret |
| Passphrase | User-supplied or auto-generated, never transmitted |
| Server storage | Ciphertext + IV + salt only β no plaintext, no passphrase, no key material |
| Expiry | Configurable: 1 hour β 30 days (default 1 week) |
| Deletion | Receiver can destroy immediately after reading |
secret-share/
βββ main.ts # Hono HTTP routes + API endpoints
βββ server/
β βββ db.ts # SQLite CRUD (stores only ciphertext)
β βββ render.tsx # Server-side React rendering
βββ client/
β βββ app.tsx # React UI (create + reveal views)
β βββ hydrate.tsx # Client-side hydration
βββ shared/
βββ types.ts # Shared TypeScript interfaces
βββ crypto.ts # AES-256-GCM encrypt/decrypt (Web Crypto API)
- Runtime: Val Town (Deno)
- Server: Hono
- UI: React 18 (SSR + hydration, JSX only β no HTML/CSS/JS strings)
- Styling: Twind (Tailwind-in-JS)
- Database: Val Town SQLite
- Crypto: Web Crypto API (built into every modern browser and Deno)
- Create: Enter your secret β passphrase is auto-generated (or type your own) β click "Encrypt & Create Link"
- Share: Copy the link and passphrase β send them via different channels (e.g. link in Slack, passphrase in a text message)
- Receive: Open the link β enter the passphrase β read the secret
- Destroy: Click "Delete This Secret Now" to remove it before expiry