crypt.fyi - A zero-knowledge, end-to-end encrypted secret sharing platform that enables secure and private transmission of sensitive data.
- π End-to-end encryption using ML-KEM post-quantum cryptography
- π‘οΈ Strict Content Security Policy (CSP) to prevent XSS attacks and unauthorized resource loading
- π‘οΈ Strict rate limits to mitigate brute-force attacks
- π€« Zero-knowledge architecture - server never sees unencrypted data or decryption keys
- π₯ Burn after reading w/ provisions to prevent erroneous burns from bots or url introspection
- π₯ Burn after
nread failures - β° Automatic expiration (Time-To-Live)
- ποΈ Password protection
- π File sharing support w/ drag and drop
- πͺ Webhook notifications for read success, read failure, and burn events
- π IP/CIDR allow-listing
- π’ Read count limits
- π± QR code generation
- β¨οΈ CLI for interacting with the API
- 𧩠Chrome Extension
- π³ Docker images for the api server and web client
- π Internationalization support for multiple languages
- Currently supported: View supported languages
- Contributions welcome for new translations!
- Encryption key is generated on the client
- Password is optionally provided
- Encryption key and password are used to encrypt the secret
- Encryption key and password are hashed and stored along with the encrypted secret for verification on retrieval - the raw key and password are never stored or transmitted on/to the server
- The unique URL containing the decryption key is generated on the client
- Share the URL with your recipient and separately the password if specified
- When accessed, only when the decryption key and password match via server-side verification of the hashes, the encrypted secret is shared and decrypted in the recipient's browser
- Optionally, the sec 8000 ret is automatically destroyed after being read in an atomic read & delete operation guaranteeing only one person can access the secret
- If retrieval doesn't happen within the TTL, the secret is automatically destroyed
API_URL=https://{your-domain-here} docker compose up --buildImportant
--build is required if API_URL is changed to ensure nginx and the web client are rebuilt with the correct configuration.
- Clone the repository
- Enable Corepack:
corepack enable - Install dependencies:
yarn install
- Set up environment variables (see
.env.example) - Start the development server:
yarn run dev
- The toast notification library (sonner) requires specific style-src hashes in the CSP configuration
- These hashes are defined in
nginx/nginx.conf - Updates to sonner may require updating these hashes
- Reference: sonner#449
- Ensure Redis is running locally when developing the server
- The web client expects the API to be available at
http://localhost:4321by default - CSP headers in development may differ from production configuration
- Always test encryption/decryption flows thoroughly when making changes
- Ensure no sensitive data is logged or exposed in error messages
- Maintain strict CSP headers to prevent XSS vulnerabilities
- Keep dependencies updated for security patches
Contributions are welcome! Please feel free to submit an Issue or Pull Request on GitHub.