A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.

Related tags

Security secret
Overview

🔒 Secret

A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.

Screenshot

What is it for

I often need to send credentials or sensitive information to clients and colleagues and really prefer not to send these things over email/chat where they remain forever prone to breaches and also attached to a context in email threads (eg, it is clear such data is connected to a site/identity/account).

It is even better to send the URL and the KEY separately through different channels and instruct the user to recombine them in the address bar.

Coming soon: support for binaries/file uploads.

Requirements

Install

  • Clone the repo
  • Copy .env.example to .env
  • Configure APP_URL with the url, APP_KEY with a random string, NEW_ITEM_PASSWORD with a password for the creation of new items. (Highly recommended, see Why set a password).
  • If desired, adjust ALLOWED_TAGS as a comma separated list br,a,img
  • touch database/database.sqlite
  • composer install
  • php artisan migrate

Dev

  • composer install
  • npm i
  • Set URL in webpack.mix.js
  • npx mix watch
  • Build for production with npx mix --production

Why Set a Password?

  • A password is highly recommended. If no password is set, anyone can create secrets
  • There's no rate limiter, so without a password a troll could hammer the endpoint to create secrets
  • There's no CSRF protection, though an irrelevant vector since without a password, anyone can create secrets anyways
  • Sanitization can't be performed server-side since the data is e2e encrypted, a sanitization occurs (as per the ALLOWED_TAGS environment variable) before displaying the secret. An unlikely vector, since it is sanitized before display, but worth mentioning.

Notes

  • Not tested on IE/Edge, but from a look at the Compatibility table the requirements should be supported
  • Thank you Pichiste for helping debug the nightmare of SubtleCrypto ArrayBuffer <> String conversions.

License

GNU General Public License version 2

You might also like...
JSON Object Signing and Encryption library for PHP.

NAMSHI | JOSE Deprecation notice Hi there, as much as we'd like to be able to work on all of the OSS in the world, we don't actively use this library

Password manager featuring client-side encryption, vaults, folders and more.
Password manager featuring client-side encryption, vaults, folders and more.

vaults is a password manager featuring client side AES-256 encryption, PBKDF2 hashing, vaults, password generation & more. Features Technical overview

Simplest implementation of RSA algorithm encryption and decryption

Simplest RSA (Rivest–Shamir–Adleman) Simplest implementation of RSA algorithm encryption and decryption. Richard Feynman: What I cannot create, I do n

A petite library of encryption functions for PHP

🔐 dcrypt A petite library of essential encryption functions for PHP 7.1+. For legacy PHP version support, look here. If you need a dcrypt inspired en

Encryption-free Private Messaging For Flarum

Whisper - Private Messaging for Flarum A Flarum extension. Add private messaging functionality to your Flarum Community! Simple to install, no setting

PHP CORS (Cross-origin resource sharing) middleware.

CORS PHP CORS (Cross-origin resource sharing) middleware. Support Array, Coding in Native PHP Using PSR-7 PSR-15 Support Symfony Support Laravel Suppo

CORS (Cross-Origin Resource Sharing) middleware for Hyperf application.

CORS Middleware for Hyperf Implements fruitcake/laravel-cors for Hyperf. Features Handles CORS pre-flight OPTIONS requests Adds CORS headers to your r

Laravel and Lumen Source Code Encrypter
Laravel and Lumen Source Code Encrypter

Laravel Source Encrypter This package encrypts your php code with phpBolt For Laravel and Lumen 6, 7, 8 Installation Usage Installation Step 1 At the

Quickly and easily secure HTML text.
Quickly and easily secure HTML text.

Larasane Quickly sanitize text into safe-HTML using fluid methods. Requirements PHP 7.4, 8.0 or later. Laravel 7.x, 8.x or later. Installation Just fi

Owner
Alan Woo
Alan Woo
AES 128 bit Encryption and Decryption algorithm excuted purely on PHP with no external libraries.

AES128 Executed with PHP Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S National I

Ahmed Mohamed Mostafa 2 Aug 8, 2022
Replaces Laravel's built-in encryption with an encryption based on AWS KMS

Laravel Kms Encryption Introduction This package replaces Laravel's built-in encryption with an encryption based on AWS KMS. Two major features provid

Arnaud Becher 3 Oct 26, 2021
Easily anonymize sensitive data through eloquent queries

Laravel Encryptable This package allows you to anonymize sensitive data (like the name, surname and email address of a user) similarly to Laravel's En

H-FARM Innovation 93 Sep 6, 2022
A Simple Cross Origin Resource Sharing for Lumen Framework (5.*).

Lumen Cors Package A Simple Cross Origin Resource Sharing for Lumen Framework. Note: That should works fine on Laravel Framework too, but the tests ar

Vagner Luz do Carmo 46 Jul 27, 2022
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.6k Jan 6, 2023
Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication.

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

[sCRiPTz-TEAM] 3 Dec 31, 2021
A cryptography API wrapping the Sodium library, providing a simple object interface for symmetrical and asymmetrical encryption, decryption, digital signing and message authentication.

PHP Encryption A cryptography API wrapping the Sodium library, providing a simple object interface for symmetrical and asymmetrical encryption, decryp

null 19 Dec 31, 2022
🔒 Password Exposed Helper Function - Check if a password has been exposed in a data breach.

?? Password Exposed Helper Function This PHP package provides a password_exposed helper function, that uses the haveibeenpwned.com API to check if a p

Jordan Hall 212 Oct 24, 2022
Simple Encryption in PHP.

php-encryption composer require defuse/php-encryption This is a library for encrypting data with a key or password in PHP. It requires PHP 5.6 or new

Taylor Hornby 3.6k Jan 3, 2023