One-time encrypted password/secret sharing
A one-time encrypted zero-knowledge password/secret sharing application focused on simplicity and security. No database or complicated set-up required.
The latest release of FlashPaper is available at ghcr.io/andrewpaglusch/flashpaper
.
docker-compose.yml
with your customizationsdocker-compose up -d
to start FlashPaperYou can build your own image using the provided Dockerfile in the docker/
folder.
In order to build FlashPaper, run docker build . -t flashpaper -f docker/Dockerfile
. If you would like to build FlashPaper for a different CPU architecture, replace docker/Dockerfile
with the appropriate Dockerfile.
You can also build via docker-compose by replacing the image:
line in docker-compose.yml with the following (make sure to choose the Dockerfile for your architecture):
build:
context: .
dockerfile: docker/Dockerfile
Requirements: PHP 7.0+ and a web server
settings.example.php
to settings.php
and make customizations to that file<random>--secrets.sqlite
sqlite database created (if it doesn’t already exist)<random>--aes-static.key
randomized 256-bit AES static key created (if one doesn’t exist already)k
)prune
->min_days
/max_days
k
value returned to user in one-time URLk
value removed from URLk
value split into two parts: ID and AES keyk
k
bcrypt hash compared against bcrypt hash from DB (prevents tampering of URL)k
and IVcurl
)FlashPaper can accept secret submissions through a simple API. The retrieval URL will be returned in a JSON object.
Here’s what it looks like to submit a secret with curl
:
$ curl -s -X POST -d "secret=my secret&json=true" https://flashpaper.io
{"url":"https://flashpaper.io/?k=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}
prune
:enabled
: Turn on/off auto-pruning of old secrets from the database upon page loadmin_days
/max_days
: When a secret is submitted, a random date/time is generated between min_days
and max_days
in the future. After that date/time has elapsed, the secret will be pruned from the database if enabled
is set to true
. This is to prevent your database from being filled with secrets that are never retrieved. NOTE: Even if enabled
is set to false
, the prune value will still be generated and stored in the database, but secrets will not be pruned unless enabled
is switched to true
.base_url
:FlashPaper will try to generate the secret retrieval URL based on information provided by the upstream webserver. This process isn’t always 100% accurate. If the secret retrieval URL that FlashPaper creates isn’t correct for your setup (this usually happens when you’re using a reverse proxy upstream), you can manually specify the URL that FlashPaper will use. For example: A base_url
of “https://foo.com/flashpaper” will result in retrieval URLs like “https://foo.com/flashpaper/?k=xxxxxxxxxxxxx”.
display_logo
:true
: The logo set in site_logo
(either a file path or a URL) will be displayed at the top of the page. If site_logo
isn’t set, the default FlashPaper logo at img/logo.png
will be displayedfalse
: No logo will be displayed on your FlashPaper instancedisplay_title
:true
: The setting site_title
will be displayed at the top of the page. If display_logo
is enabled, the text will appear to the right of the logo.false
: The setting site_title
will not be displayed.PayPal: https://paypal.me/AndrewPaglusch
BitCoin: 1EYDa33S14ejuQGMhSjtBUmBHTBB8mbTRs
Donations are not expected, but they are very appreciated!