🔐 Share end-to-end encrypted secrets with others via a one-time URL

Sniptt Logo

If you use this repo, star it ✨

🔐 Share end-to-end encrypted secrets with others via a one-time URL

Use to securely share API Keys, Signing secrets, Passwords, etc. with 3rd parties or with your teams.

Secrets are descructed đŸ’Ĩ once viewed, or after specified expiry.

render1626708858371

Install

Homebrew

The recommended way to install ots on macOS is via Homebrew.

brew install sniptt-official/ots/ots

NOTE: We need 30 forks, 30 watchers, and 75 stars to make it to Homebrew/core. Please help us get there 👀 !

Go

go get -u github.com/sniptt-official/ots

Manual

For manual installation instructions on macOS and Linux, please refer to the dedicated install docs.

Usage

Prompt

$ ots new -x 2h
Enter your secret:

Pipeline

You can also use pipes, for example

$ pbpaste | ots new

or

$ cat .env | ots new

Security

Why should I trust you with my secrets?

All secrets are encrypted end-to-end, which means the plaintext values never leave your device. We do not log, track, share, or store the encryption key that protects your secret. You can check the client code to learn more about how we create the encryption key as well as what data is being sent to our servers.

Is sharing via URL really secure?

Secrets created using the ots new command are what we refer to as "one-time secrets". Once they are retrieved by the recipient, they can no longer be viewed even if someone got hold of the URL. Furthermore, each one-time secret gets automatically deleted after specified duration if not viewed. By default, this is 24 hours but you can change this as required, for example ots new -x 2h.

It goes without saying that URL-accessible one-time secrets should be shared with intended recipients only.

Can I persist my secrets for later use?

Please use the snip-cli instead.

License

See LICENSE

Owner
Sniptt
Securely share secrets without leaving your terminal
Sniptt
https://github.com/sniptt-official/ots-cli https://sniptt.com
Comments
  • Don't change the indentation of secrets

    Don't change the indentation of secrets

    Thanks for the interesting tool!

    I want to store yaml and json data exactly as they are without changes to their indentation:

    {
  "foo": "bar"
}

    Indentation in json is not very important, but can become ugly when the json data is larger.

    version: v1alpha1
metadata:
  name: secret-data
spec:
  data:
    - hello world

    Expected

    The expected outcome is that I get the same data back, without change in indentations. Especially yaml should stay exactly the same because the syntax depends on indentation.

    Actual result

    {
"foo": "baar"
}

    version: v1alpha1
metadata:
name: secret-data
spec:
data:
- hello world

    It might be that the fault lies in the underlying encryption package.

  • Add option to password-protect the encryption key

    Add option to password-protect the encryption key

    An interesting optional feature would be to protect the encryption key using a password. The recipient would have to enter the password on the web page, the decryption still fully client-side.

    It could be done using derivation directly, stretching the password to derive the encryption key. But that would undermine the encryption security, making the cyphertext as weak/strong as the password. Another approach is to derive a KEK from the password, wrapping the fully random encryption key. This way the cyphertext is not impacted, and the security level of the password is kept client-side.

  • feat(api): support regional endpoints

    feat(api): support regional endpoints

    ots new now produces:

    Your secret is now available on the below URL.

https://ots.sniptt.com/view/0U5dcqD0ivNHExLV?ref=ots-cli&region=us-east-1&v=debug#cC2PYfuJYp2yRXV_myg3FXMUlralJORIVlUNdm8_KcA=

You should only share this URL with the intended recipient.

Please note that once retrieved, the secret will no longer
be available for viewing. If not viewed, the secret will
automatically expire at approximately 18 Aug 2021 22:19:41.```
  • Do not hardcode API url in `api/client/client.go`

    Do not hardcode API url in `api/client/client.go`

    Ideally, this would be configurable, I assume should be possible via ENV var and/or flag during build.

    Might also make sense to make this configurable by the user, however that would be a separate issue.

  • fix(uri): use fragment in generated uri

    fix(uri): use fragment in generated uri

    • update the generated URI to use fragment (addresses #1) - backwards compatible due to recent updates to the web project
    • minor style changes/fixes
    • use term directly as opposed to going through x/crypto/ssh
  • Encryption key should leverage URI Fragment

    Encryption key should leverage URI Fragment

    The fragment part of the URI is not sent over the network to the server. That would ensure the key is never seen by your servers.

    The following statement would then not be needed anymore by design, as the client code is auditable.

    We do not log, track, share, or store the encryption key that protects your secret.

Related tags
Cryptography cli secret-management secret-sharing end-to-end-encryption
An end-to-end encrypted secret messaging service.

Nimie An End-to-end encrypted Anonymous Messaging Service. In a nutshell This service basically empowers you to have short anonymous conversations wit

Dec 17, 2021
Age-encrypted-notebook - Age encrypted notes saved in a bolt DB

Age Encrypted Notebook (aen) Disclaimer: This project has the sole purpose of ge

Sep 15, 2022
Webserver I built to serve Infura endpoints. Deployable via k8s and AWS EKS. Load testable via k6 tooling, and montiorable via prometheus and grafana

Infura Web Server Welcome to my verion of the take home project. I've created a webserver written in go to serve Infura api data over 3 possible data

Nov 15, 2022
One pg - one vakt.

pg-vakt DockerHub First, configure postgres: db: container_name: prod_db image: 'postgres:14' command: | postgres -c wal_level=replica -

Aug 25, 2022
Quoter - Get real-time Cryptocurrency quotes via CoinMarketCap

quoter Get real-time Cryptocurrency quotes via CoinMarketCap. Get it go get -u g

May 12, 2022
A simple and lightweight encrypted password manager written in Go.
 A simple and lightweight encrypted password manager written in Go.

Osiris Password Manager A simple and lightweight encrypted password manager written in Go

Jun 16, 2022
go seof: Simple Encrypted os.File

Encrypted implementation of golang' os.File. It handles WriteAt, Seek, Truncate, etc. Can deal with huge files, random access, etc.

Jan 8, 2023
sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP
 sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP

sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. (demo)

Jan 9, 2023
LightRPC Encrypted reliable components RPC

light LightRPC Multi-protocol encryption RPC Multi-protocol TCP KCP UNIX HTTP MQTT QUIC Encoding JSON MessagePack Protobuf Compress RawData Snappy GZI

Dec 7, 2022
ddlcpad, *Doki Doki Literature Club Plus Asset Decrypter*, is a tool to decrypt the encrypted asset file on the Doki Doki Literature Club Plus. Writing in golang.

ddlcpad įŽ€äŊ“中文 What is this ddlcpad is short of Doki Doki Literature Club Plus Asset Decrypter You can decrypt the *.cy file from Doki Doki Literature C

Nov 27, 2022
ThanosDecryptor is an project to decrypt files encrypted by Thanos ransomware.

Prometheus-Decryptor Prometheus-Decryptor is an project to decrypt files encrypted by Prometheus ransomware. Command Arguments Usage of ./bin/promethe

Dec 16, 2022
Cross-platform application for easy encrypted sharing of files, folders, and text between devices.
 Cross-platform application for easy encrypted sharing of files, folders, and text between devices.

wormhole-gui Wormhole-gui is a cross-platform application that lets you easily share files, folders and text between devices. It uses the Go implement

Dec 30, 2022
Sidecar container for injecting secrets into configuration files from Hashicorp Vault

talebearer noun A person who spreads scandal or tells secrets; gossip Note This code is not being actively developed, and has not seen substantial cha

Nov 1, 2021
Bare Bones Encrypted File Uploading Service

eggnog Basic file uploading service in Go. Files are XOR encrypted server side, and are only accessible with the key. It's not perfect encryption, but

Nov 15, 2021
A tool for secrets management, encryption as a service, and privileged access management
 A tool for secrets management, encryption as a service, and privileged access management

Deploy HCP Vault & AWS Transit Gateways via Terraform https://medium.com/hashicorp-engineering/deploying-hcp-vault-using-the-hcp-terraform-provider-5e

Nov 23, 2021
recursively list secrets from Vaults KV2 engine
 recursively list secrets from Vaults KV2 engine

vkv recursively list secrets from Vaults KV2 engine Installation Find the corresponding binaries, .rpm and .deb packages in the release section. Authe

Dec 29, 2022
minimal implementation of secured encrypted tcp/ip connection without tls / ssl.

go-secure-transport Demo implementation of secured encrypted TCP connection without TLS / SSL. See ./example for server & client using the transport t

Dec 15, 2021
Peer-to-peer encrypted message exchange

Constellation Constellation is a self-managing, peer-to-peer system in which each node: Hosts a number of NaCl (Curve25519) public/private key pairs.

Nov 11, 2022
Ixia-c-one - A re-packaged (as a single-container) flavor of multi-container application ixia-c

ixia-c-one ixia-c-one is a re-packaged (as a single-container) flavor of multi-c

Apr 1, 2022