A one-time encrypted zero-knowledge password/secret sharing application focused on simplicity and security. No database or complicated set-up required.
The latest release of FlashPaper is available at ghcr.io/andrewpaglusch/flashpaper.
- Download docker-compose.yml from this repo
- Edit
docker-compose.ymlwith your customizations - Run
docker-compose up -dto start FlashPaper - Set up a reverse-proxy in front of FlashPaper that terminates SSL/TLS
You can build your own image using the provided Dockerfile in the docker/ folder.
In order to build FlashPaper, run docker build . -t flashpaper -f docker/Dockerfile. If you would like to build FlashPaper for a different CPU architecture, replace docker/Dockerfile with the appropriate Dockerfile.
You can also build via docker-compose by replacing the image: line in docker-compose.yml with the following (make sure to choose the Dockerfile for your architecture):
build:
context: .
dockerfile: docker/Dockerfile
Requirements: PHP 7.0+ and a web server
- Download and extract the latest release of FlashPaper to the document root of your web server
- Copy
settings.example.phptosettings.phpand make customizations to that file - Disable access logging in your web server's configuration so nothing sensitive (IP addresses, user agent strings, timestamps, etc) are logged to disk
<random>--secrets.sqlitesqlite database created (if it doesn't already exist)<random>--aes-static.keyrandomized 256-bit AES static key created (if one doesn't exist already)- Random 256-bit AES key created
- Random 128-bit IV created
- Random 64-bit ID created
- ID + AES key hashed with bcrypt
- Submitted text encrypted with AES-256-CBC using AES key and random IV
- Ciphertext now encrypted with AES-256-CBC using static AES key and random IV
- ID and AES key joined (known as
k) - Random prune date/time generated using
prune->min_days/max_days - ID, IV, bcrypt hash, ciphertext, and prune epoch stored in DB
kvalue returned to user in one-time URL
kvalue removed from URLkvalue split into two parts: ID and AES key- IV, bcrypt hash, ciphertext looked up in DB with ID from
k kbcrypt hash compared against bcrypt hash from DB (prevents tampering of URL)- Ciphertext decrypted with static AES key and IV
- Ciphertext decrypted with AES key from
kand IV - Entry deleted from DB
- Decrypted text sent to user
FlashPaper can accept secret submissions through a simple API. The retrieval URL will be returned in a JSON object.
Here's what it looks like to submit a secret with curl:
$ curl -s -X POST -d "secret=my secret&json=true" https://flashpaper.io
{"url":"https://flashpaper.io/?k=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}
enabled: Turn on/off auto-pruning of old secrets from the database upon page loadmin_days/max_days: When a secret is submitted, a random date/time is generated betweenmin_daysandmax_daysin the future. After that date/time has elapsed, the secret will be pruned from the database ifenabledis set totrue. This is to prevent your database from being filled with secrets that are never retrieved. NOTE: Even ifenabledis set tofalse, the prune value will still be generated and stored in the database, but secrets will not be pruned unlessenabledis switched totrue.
FlashPaper will try to generate the secret retrieval URL based on information provided by the upstream webserver. This process isn't always 100% accurate. If the secret retrieval URL that FlashPaper creates isn't correct for your setup (this usually happens when you're using a reverse proxy upstream), you can manually specify the URL that FlashPaper will use. For example: A base_url of "https://foo.com/flashpaper" will result in retrieval URLs like "https://foo.com/flashpaper/?k=xxxxxxxxxxxxx".
PayPal: https://paypal.me/AndrewPaglusch
BitCoin: 1EYDa33S14ejuQGMhSjtBUmBHTBB8mbTRs
Donations are not expected, but they are very appreciated!