One-time encrypted password/secret sharing
FlashPaper
A one-time encrypted zero-knowledge password/secret sharing application focused on simplicity and security. No database or complicated set-up required.
Demo
Installation Docker (Recommended)
The latest release of FlashPaper is available at ghcr.io/andrewpaglusch/flashpaper
.
docker-compose.yml
with your customizationsdocker-compose up -d
to start FlashPaperBuilding an Image
You can build your own image using the provided Dockerfile in the docker/
folder. There are currently two:
docker/Dockerfile
)docker/arm.Dockerfile
)In order to build FlashPaper, run docker build . -t flashpaper -f docker/Dockerfile
. If you would like to build FlashPaper for a different CPU architecture, replace docker/Dockerfile
with the appropriate Dockerfile.
You can also build via docker-compose by replacing the image:
line in docker-compose.yml with the following (make sure to choose the Dockerfile for your architecture):
build:
context: .
dockerfile: docker/Dockerfile
Traditional
Requirements: PHP 7.0+ and a web server
settings.example.php
to settings.php
and make customizations to that fileHow It Works Submitting Secret
<random>--secrets.sqlite
sqlite database created (if it doesn't already exist)<random>--aes-static.key
randomized 256-bit AES static key created (if one doesn't exist already)k
)prune
->min_days
/max_days
k
value returned to user in one-time URLRetrieving Secret
k
value removed from URLk
value split into two parts: ID and AES keyk
k
bcrypt hash compared against bcrypt hash from DB (prevents tampering of URL)k
and IVSubmitting Secrets via the API (with curl
)
FlashPaper can accept secret submissions through a simple API. The retrieval URL will be returned in a JSON object.
Here's what it looks like to submit a secret with curl
:
$ curl -s -X POST -d "secret=my secret&json=true" https://flashpaper.io
{"url":"https://flashpaper.io/?k=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}
Settings
prune
:
enabled
: Turn on/off auto-pruning of old secrets from the database upon page loadmin_days
/max_days
: When a secret is submitted, a random date/time is generated between min_days
and max_days
in the future. After that date/time has elapsed, the secret will be pruned from the database if enabled
is set to true
. This is to prevent your database from being filled with secrets that are never retrieved. NOTE: Even if enabled
is set to false
, the prune value will still be generated and stored in the database, but secrets will not be pruned unless enabled
is switched to true
.base_url
:
FlashPaper will try to generate the secret retrieval URL based on information provided by the upstream webserver. This process isn't always 100% accurate. If the secret retrieval URL that FlashPaper creates isn't correct for your setup (this usually happens when you're using a reverse proxy upstream), you can manually specify the URL that FlashPaper will use. For example: A base_url
of "https://foo.com/flashpaper" will result in retrieval URLs like "https://foo.com/flashpaper/?k=xxxxxxxxxxxxx".
Donations
PayPal: https://paypal.me/AndrewPaglusch
BitCoin: 1EYDa33S14ejuQGMhSjtBUmBHTBB8mbTRs
Donations are not expected, but they are very appreciated!
Twice a month we will interview people behind open source businesses. We will talk about how they are building a business on top of open source projects.
We'll never share your email with anyone else.