Last week, a coworker Slacked me an AWS key. In plain text. In a channel with 50 people.
"Can you delete that?" I asked.
"Already did."
Cool. Except Slack stores message history. That key is sitting on Slack's servers forever. One breach, one rogue employee, one subpoena - and it's exposed.
This happens constantly. Developers share secrets via Slack, Discord, Pastebin. All plain text. All stored on servers we don't control.
So I built something different.
The Problem
Every time you share a password or API key, you're trusting:
- The platform's servers
- The platform's employees
- The platform's security
- Every future breach that hasn't happened yet
That's a lot of trust for "just a quick paste."
Regular pastebins store your data in plain text. When (not if) they get breached, everything's exposed.
The Solution: Zero-Knowledge Architecture
CloakBin encrypts everything in your browser before it ever touches our servers. We literally cannot read your pastes, even if we wanted to.
Here's how it works:
1. Client-Side Encryption
When you create a paste, JavaScript encrypts your content using AES-256 (same encryption banks use) right in your browser.
2. The Key Never Leaves Your Browser
The encryption key lives in the URL fragment the part after the #:
cloakbin.com/abc123#your-secret-key
Here's the trick: browsers never send URL fragments to servers. It's not a feature I built - it's how HTTP works. The # and everything after it stays client-side.
ℹ️ This is a fundamental web security feature. Check your browser's network tab - you'll never see the fragment in any request.
3. What Our Server Actually Stores
Encrypted blob: U2FsdGVkX1+8K3...
Key: ¯\_(ツ)_/¯
We store encrypted noise. Without the key (which we never receive), it's unreadable.
The Two-Factor Sharing Problem
"Cool, but if I share the URL on Discord, the key's right there in the message."
You're right. That's why we added password protection.
With a password enabled:
- The encryption key is derived from your password (using PBKDF2)
- No key in the URL - just a clean link like
cloakbin.com/abc123 - Only someone who knows the password can decrypt
💡 Secure sharing workflow:
- Create paste with password protection
- Share the link on Discord/Slack/email
- Send password via different channel (text, call)
Two channels = much harder to intercept both.
Try It Out
Ready to stop sharing secrets in plain text?
🔗 Try CloakBin - Create your first encrypted paste
📖 View the Source Code - Star the repo if you find it useful!
Got questions or feedback? Drop a comment below or open an issue on GitHub.
Top comments (0)