Password Pusher

Password Pusher is an open-source web application that securely shares sensitive information by generating self-deleting links. Secret links expire after a configurable number of views or a time window, and access is tracked with full audit logs.

Key Features

• Self-destructing links based on views or time, ensuring temporary access only
• Full audit logs showing who accessed what and when
• Encrypted storage with complete deletion after expiry
• Admin dashboard for managing self-hosted instances
• JSON API and command-line interface for automation and tooling
• Unbranded delivery pages and multilingual translations for global use
• Docker-based deployment and easy self-hosting with Docker Compose

Use Cases

• Securely share passwords or other secrets with teammates or customers using time/view-limited links
• Audit and compliance workflows by tracking who accessed shared data and when
• Temporary sharing of sensitive URLs or files with automatic destruction after expiry or views

Limitations and Considerations

• Pro features exist on the hosted pwpush.com service; the OSS self-hosted edition periodically receives Pro features, and some capabilities may require the hosted plan. This distinction is documented in the project notes.
• The OSS edition emphasizes self-hosting and open-source delivery, with the hosted service providing additional conveniences and updates.

Conclusion

Password Pusher offers a self-hosted, auditable, and secure way to share sensitive information via self-expiring links. It supports programmatic access through a JSON API and CLI, while also providing an admin dashboard for operators and multilingual end-user experiences.

Onetime Secret is an open-source service for sharing sensitive text as single-use links. Secrets are encrypted on the server and expire either after a single view or after a configured time-to-live.

Key Features

• Create single-use (self-destructing) secret links that delete after being viewed or after a TTL.
• Server-side encryption of stored secrets with an optional passphrase option; passphrases are bcrypt-hashed and used to protect decryption.
• REST API and web UI for creating and retrieving secrets; supports anonymous and authenticated workflows.
• Configurable TTL options and passphrase policy (minimum length, complexity, enforcement settings).
• Support for custom share domains and UI/auth configuration for self-host deployments.
• Docker images and a documented quick-start (Redis-backed storage, recommended Ruby runtime) for easy deployment.

Use Cases

• Safely send passwords or credentials over email/chat where persistent copies are undesirable.
• Issue ephemeral API tokens, one-time links for password resets, or short-lived provisioning secrets.
• Provide secure, single-view communication for support, onboarding, or sensitive troubleshooting details.

Limitations and Considerations

• Without a user-provided passphrase, secrets are encrypted on the server but decryptable by the service operator; use passphrases for stronger zero-knowledge guarantees.
• Secret size is limited (enforced per plan; documentation cites per-plan limits, e.g., ~1k–10k characters).
• Encrypted backups exist for disaster recovery and may retain encrypted secrets for a limited retention window (documented backup retention is not indefinite).
• Not a long-term secrets vault: designed for ephemeral, single-view sharing rather than secret rotation, audit history, or full enterprise secret-management features.

Onetime Secret provides a focused, auditable way to share ephemeral secrets via web or API. It is useful where short-lived, single-view confidentiality is required, and it offers configurable protections (TTL and passphrases) for stronger privacy guarantees.

Yopass is an open-source service for securely sharing sensitive information. It encrypts secrets client-side using OpenPGP, stores only ciphertext on the server, and returns a one-time expiring URL to the sender.

Key Features

• Client-side end-to-end encryption using OpenPGP; server never receives plaintext or the decryption key.
• One-time or time-limited access: secrets can be configured to self-destruct after first view or after a set expiry.
• Small web UI plus a command-line client for automation and scripting use cases.
• Configurable storage backends: supports Memcached or Redis for ephemeral secret storage.
• Optional limited file upload support (files are encrypted before upload and can be disabled).
• Deployment ready: includes Docker/Compose and Kubernetes examples, plus reverse-proxy guidance for TLS and proxy trust configuration.

Use Cases

• Sharing short-lived credentials or secrets (passwords, API keys) between teammates without exposing plaintext in chat or tickets.
• Exchanging program output or sensitive configuration from automation scripts via the CLI.
• Sending single-use tokens or files that must not persist on the server once consumed.

Limitations and Considerations

• File upload functionality is limited; large-file workflows are not the primary focus and may require external tools.
• Default deployments do not enforce rate limiting; administrators should add rate limiting or WAF rules if exposed publicly.
• URLs containing the decryption key can be stored in browser history or logs; post-access cleanup and secure channels for delivering the URL are recommended.
• Security depends on correct TLS/reverse-proxy configuration and on administrators keeping dependencies and the server up to date.

Yopass is designed to be small, transparent, and security-focused: it minimizes server-side knowledge of secrets while providing simple UX and automation interfaces. It is useful for teams and automation that need quick, ephemeral secret sharing without accounts or long-term storage.

Hemmelig is an encrypted secret-sharing service designed to keep sensitive information out of chat logs and email threads. It uses a zero-knowledge approach where encryption happens in the browser, and the server only stores encrypted data.

Key Features

• Client-side AES-256-GCM encryption (zero-knowledge storage)
• Self-destructing secrets with configurable expiration and view limits
• Optional password protection for an additional security layer
• IP restrictions to limit access to specific IP ranges
• Encrypted file uploads for authenticated users
• Rich text editor for formatting secrets
• QR codes for easier sharing on mobile devices
• Webhook notifications for secret viewed/burned events
• REST API with OpenAPI specification, plus CLI for automation

Use Cases

• Securely sharing one-time credentials, API keys, and recovery codes
• Exchanging sensitive notes or documents with expiring access
• Automating secret creation and sharing in CI/CD pipelines via CLI/API

Limitations and Considerations

• The license is a modified MIT-style license that restricts offering the software as a competing hosted SaaS

Hemmelig is a practical alternative to sending secrets through persistent channels, combining strong client-side cryptography with expiration controls. It fits well for teams and individuals who need simple, auditable secret handoff workflows with optional automation.

sup3rS3cretMes5age is a small web service for sharing secrets via single-use, self-destructing messages. It uses HashiCorp Vault as the storage backend so messages are handled as secrets rather than being persisted in an app database.

Key Features

• One-time secret messages that self-destruct after being read
• HashiCorp Vault backend for storing and managing secrets
• Lightweight web UI built with vanilla JavaScript and self-hosted assets (no external CDNs)
• Supports HTTPS operation, including optional automatic certificate provisioning
• Container-friendly deployment with Docker and docker-compose
• CLI-oriented usage patterns for easy scripting and automation

Use Cases

• Sharing passwords, tokens, or recovery codes securely with teammates
• Sending short-lived secrets during incident response or support workflows
• Providing single-use credentials or links in automated scripts

Limitations and Considerations

• Requires operating and securing a HashiCorp Vault instance and providing appropriate tokens/policies
• If deployed without TLS end-to-end, secrets can be exposed in transit

sup3rS3cretMes5age is a practical tool for teams that need a simple, auditable way to share secrets once and avoid leaving sensitive data sitting in chat logs or email threads. It fits well in environments that already use Vault for secrets management.

FlashPaper is a lightweight PHP web application for sharing one-time secrets (passwords, tokens, notes). It encrypts submitted text, stores only ciphertext and metadata, and returns a single-use retrieval URL. Secrets are deleted after retrieval or pruned after a configurable retention window.

Key Features

• One-time secret retrieval: secrets are removed from storage after they are retrieved
• Layered encryption: AES-256-CBC encryption with a per-secret key wrapped by a static server AES key, and bcrypt used to protect the retrieval token
• Minimal storage: uses a local SQLite database so no external database is required
• API and web UI: supports browser usage and simple API submission that returns a retrieval URL in JSON
• Docker-friendly: official container image and docker-compose support for easy deployment
• Configurable pruning and base URL: automatic pruning window and manual base URL override for accurate retrieval links
• Small attack surface and simple configuration: designed to be easy to self-host with a reverse proxy terminating TLS

Use Cases

• Securely share a password or API key with a colleague in a way that cannot be retrieved repeatedly
• Transmit one-off tokens or credentials during onboarding or support interactions
• Automate ephemeral secret delivery in CI/CD or scripting workflows via the provided API

Limitations and Considerations

• Server compromise can expose the static AES key and database; protect the server and key material with proper filesystem permissions and backups
• Not intended as long-term secret storage or a full-featured vault; designed for ephemeral, single-use secrets
• SQLite back end and single-file storage are simple but may not scale for very high throughput or multi-node deployments
• Requires proper TLS termination (reverse proxy) and recommends disabling upstream access logging to avoid leaking metadata

FlashPaper is suitable when you need a simple, self-hosted way to exchange ephemeral secrets without a heavy infrastructure footprint. It emphasizes minimal setup, predictable behavior, and single-use secrecy for temporary secrets.

Shhh is a lightweight web application that creates encrypted secrets and shares them via unique links protected by a temporary passphrase. Secrets are encrypted before storage and removed after expiration, successful decryption, or exceeding allowed attempts.

Key Features

• Create encrypted text secrets protected by a user-provided passphrase
• Secrets expire automatically based on a configured expiration date
• One-time or limited-attempt opening: secret is purged after viewing or when max attempts are exceeded
• Encryption uses Fernet with a password-derived key (random salt and high iteration count)
• Does not store passphrases; only ciphertext and metadata are stored
• Provides a REST API and can be integrated via a companion CLI client
• Supports PostgreSQL or MySQL backends and can be deployed with Docker/Docker Compose
• Typical deployment stack includes Flask with Gunicorn behind a web server

Use Cases

• Share temporary credentials, tokens, or one-time instructions without leaving plain text in email or chat
• Send expiring links for password resets or sensitive file access instructions
• Integrate secret sharing into workflows or automation via the provided REST API

Limitations and Considerations

• The project has been marked for sunsetting in favor of a successor; active maintenance and hosted deployments may be discontinued
• Not a full-featured secrets management or vault solution: lacks advanced access controls, enterprise audit logging, and RBAC
• Security depends on strong passphrases and secure hosting; operational security (TLS, server hardening, database protection) is required for production use

Shhh is a simple, focused tool for short-lived secret sharing and integration into workflows. It is suitable for teams or individuals who need ephemeral, passphrase-protected messages but is not a replacement for dedicated vault systems for long-term secret management.

YeetFile is a privacy-focused file sending service and personal vault that encrypts content client-side so the server cannot decrypt stored or transferred data. It provides both a web UI and a CLI client, and is designed for easy self-hosting with Docker and standard infrastructure components.

Key Features

• Client-side end-to-end encryption for files and text so servers cannot decrypt content
• "Send" mode: create shareable links with configurable expiration and limited download counts
• "Vault" mode: file and password storage, folder organization, and per-user read/write sharing
• Optional password protection on shared links and text transfers (text up to 2000 characters)
• Multiple storage backends supported: local filesystem, S3-compatible object stores, and Backblaze B2
• Official CLI with parity to web client and a browser-based web UI
• Deployable via docker-compose or systemd; requires PostgreSQL for metadata
• Admin features for instance management, user administration, and logging suggestions

Use Cases

• Securely send sensitive files or one-off secrets with expiring, limited-download links
• Host a personal/team vault for encrypted file and password storage with folder-level sharing
• Run a privacy-preserving file transfer service for an organization that must retain control of storage

Limitations and Considerations

• Send transfers have configurable limits: maximum expiration is 30 days and maximum downloads per link is 10
• Server-side metadata (file size, owner ID, timestamps) is visible even though file contents and filenames are encrypted
• Some features (paid upgrades, payment recycling) rely on external payment providers and require additional configuration

YeetFile is well suited for users and teams that need a self-hosted, privacy-first file transfer and vault solution. It emphasizes strong client-side encryption and flexible deployment, while requiring a PostgreSQL database and standard container tooling for production deployments.

OrigamiVault is a small offline web application for encrypting or splitting sensitive secrets and producing printable recovery artifacts. It generates QR codes and OCR-friendly decryption snippets so secrets can be stored on paper for long-term emergency recovery.

Key Features

• Client-side AES encryption using the browser Web Crypto API for password-based encryption
• Optional Shamir's Secret Sharing to split secrets into multiple shares
• Dual printable formats: compact QR codes and OCR-friendly JavaScript decryptor text (high-contrast mono font)
• Built-in QR scanner that runs in the browser for quick recovery
• Fully offline, static HTML/CSS/JavaScript implementation suitable for USB or static hosting
• No server, no analytics, and all cryptography performed locally

Use Cases

• Securely print master passwords, recovery phrases, or crypto keys for long-term archival
• Create split backups where different trusted parties hold complementary information for emergency recovery
• Produce OCR-friendly printed recoverable snippets as a resilient alternative to purely digital backups

Limitations and Considerations

• Security relies on the strength of chosen passwords and the physical protection of printed paper
• OCR accuracy and QR readability depend on print quality, font scaling, and camera/scanner conditions
• Not a multi-user vault or live secret manager; intended for one-off encrypted printouts and recoveries

OrigamiVault is a focused tool for physical, offline secret recovery workflows that emphasizes simplicity and auditability. It is best suited for archival backups and digital legacy scenarios where paper-based recovery is required.