A one-time encrypted zero-knowledge password/secret sharing application focused on simplicity and security. No database or complicated set-up required.
The latest release of FlashPaper is available at ghcr.io/jarodparamsp/flashpaper
.
- Download docker-compose.yml from this repo
- Edit
docker-compose.yml
with your customizations - Run
docker-compose up -d
to start FlashPaper - Set up a reverse-proxy in front of FlashPaper that terminates SSL/TLS
Requirements: PHP 7.0+ and a web server
- Download and extract the latest release of FlashPaper to the document root of your web server
- Copy
settings.example.php
tosettings.php
and make customizations to that file - Disable access logging in your web server's configuration so nothing sensitive (IP addresses, user agent strings, timestamps, etc) are logged to disk
<random>--secrets.sqlite
sqlite database created (if it doesn't already exist)<random>--aes-static.key
randomized 256-bit AES static key created (if one doesn't exist already)- Random 256-bit AES key created
- Random 128-bit IV created
- Random 64-bit ID created
- ID + AES key hashed with bcrypt
- Submitted text encrypted with AES-256-CBC using AES key and random IV
- Ciphertext now encrypted with AES-256-CBC using static AES key and random IV
- ID and AES key joined (known as
k
) - Random prune date/time generated using
prune
->min_days
/max_days
- ID, IV, bcrypt hash, ciphertext, and prune epoch stored in DB
k
value returned to user in one-time URL
k
value removed from URLk
value split into two parts: ID and AES key- IV, bcrypt hash, ciphertext looked up in DB with ID from
k
k
bcrypt hash compared against bcrypt hash from DB (prevents tampering of URL)- Ciphertext decrypted with static AES key and IV
- Ciphertext decrypted with AES key from
k
and IV - Entry deleted from DB
- Decrypted text sent to user
FlashPaper can accept secret submissions through a simple API. The retrieval URL will be returned in a JSON object.
Here's what it looks like to submit a secret with curl
:
$ curl -s -X POST -d "secret=my secret&json=true" https://secret.paramsp.com
{"url":"https://secret.paramsp.com/?k=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}
enabled
: Turn on/off auto-pruning of old secrets from the database upon page loadmin_days
/max_days
: When a secret is submitted, a random date/time is generated betweenmin_days
andmax_days
in the future. After that date/time has elapsed, the secret will be pruned from the database ifenabled
is set totrue
. This is to prevent your database from being filled with secrets that are never retrieved. NOTE: Even ifenabled
is set tofalse
, the prune value will still be generated and stored in the database, but secrets will not be pruned unlessenabled
is switched totrue
.
Encrypt MSG will try to generate the secret retrieval URL based on information provided by the upstream webserver. This process isn't always 100% accurate. If the secret retrieval URL that Encrypt Msg creates isn't correct for your setup (this usually happens when you're using a reverse proxy upstream), you can manually specify the URL that Encrypt Msg will use. For example: A base_url
of "https://paramsp.com/encryptmsg" will result in retrieval URLs like "https://paramsp.com/encryptmsg/?k=xxxxxxxxxxxxx".