Keep sensitive info out of your email & chat logs.
Keep passwords and other sensitive information out of your inboxes and chat logs.
A one-time secret is a link that can be viewed only once. A single-use URL.
Try it out on OnetimeSecret.com!
When you send people sensitive info like passwords and private links via email or chat, there are copies of that information stored in many places. If you use a one-time link instead, the information persists for a single viewing which means it can’t be read by someone else later. This allows you to send sensitive information in a safe way knowing it’s seen by one person only. Think of it like a self-destructing message.
$ docker run -p 6379:6379 --name redis -d redis
$ ONETIMESECRET_REDIS_URL="redis://172.17.0.2:6379/0"
$ docker pull onetimesecret/onetimesecret:next
$ docker run -p 3000:3000 -d --name onetimesecret \
-e ONETIMESECRET_REDIS_URL=$ONETIMESECRET_REDIS_URL \
onetimesecret/onetimesecret:next
See the instructions in the Docker Compose config file.
Get the code, one of:
git clone https://github.com/onetimesecret/onetimesecret.git $ cd onetimesecret
$ cp --preserve --no-clobber ./etc/config.example ./etc/config
$ cp --preserve --no-clobber .env.example .env
For Debian / Ubuntu:
# Install packages for build environment
$ sudo apt-get update
$ sudo apt-get install -y build-essential autoconf m4 sudo curl gnupg2 ca-certificates lsb-release
# Install Ruby 3+
$ curl -sSL https://pkg.ruby-lang.org/gpg/ruby-apt.gpg | sudo apt-key add -
$ echo "deb https://pkg.ruby-lang.org/bookworm/ $(lsb_release -sc) main" | \
sudo tee /etc/apt/sources.list.d/ruby-lang.list
$ sudo apt-get update
$ sudo apt-get install -y ruby3.2
# Install Redis
$ sudo apt-get install redis-server
# Update Rubygems and setup bundler
$ sudo gem update --system
$ sudo gem install bundler
NOTE: The redis-server service should start automatically after installing it. You can check that it’s up by running: sudo system redis-server status.
$ bundle install
$ bundle exec thin -R config.ru -p 3000 start
--- ONETIME app v0.13 -----------------------------------
Config: /Users/d/Projects/opensource/onetimesecret/etc/config
2024-04-10 22:39:15 -0700 Thin web server (v1.8.2 codename Ruby Razor)
2024-04-10 22:39:15 -0700 Maximum connections set to 1024
2024-04-10 22:39:15 -0700 Listening on 0.0.0.0:3000, CTRL+C to stop
See the Ruby CI workflow for another example of the steps.
To run in debug mode set ONETIME_DEBUG=true.
$ ONETIME_DEBUG=true bundle exec thin -e dev start`
If you’re having trouble cloning via SSH, you can double check your SSH config like this:
With a github account
ssh -T [email protected]
Hi delano! You've successfully authenticated, but GitHub does not provide shell access.
Without a github account
ssh -T [email protected]
Warning: Permanently added the RSA host key for IP address '0.0.0.0/0' to the list of known hosts.
[email protected]: Permission denied (publickey).
NOTE: you can also use the etc directory from here instead of copying it to the system. Just be sure to secure the permissions on it
chown -R ots ./etc
chmod -R o-rwx ./etc
./etc/config./etc/redis.conf/etc/onetime/locale/*:broadcast string to display a brief message at the top of every pageThere are many ways to run the webapp. The default web server we use is thin. It’s a Rack app so any server in the ruby ecosystem that supports Rack apps will work.
To run locally:
bundle exec thin -e dev -R config.ru -p 7143 start
To run on a server:
bundle exec thin -d -S /var/run/thin/thin.sock -l /var/log/thin/thin.log -P /var/run/thin/thin.pid -e prod -s 2 restart
We include a global secret in the encryption key so it needs to be long and secure. One approach for generating a secret:
dd if=/dev/urandom bs=20 count=1 | openssl sha256