FlashPaper

FlashPaper is a lightweight PHP web application for sharing one-time secrets (passwords, tokens, notes). It encrypts submitted text, stores only ciphertext and metadata, and returns a single-use retrieval URL. Secrets are deleted after retrieval or pruned after a configurable retention window.

Key Features

• One-time secret retrieval: secrets are removed from storage after they are retrieved
• Layered encryption: AES-256-CBC encryption with a per-secret key wrapped by a static server AES key, and bcrypt used to protect the retrieval token
• Minimal storage: uses a local SQLite database so no external database is required
• API and web UI: supports browser usage and simple API submission that returns a retrieval URL in JSON
• Docker-friendly: official container image and docker-compose support for easy deployment
• Configurable pruning and base URL: automatic pruning window and manual base URL override for accurate retrieval links
• Small attack surface and simple configuration: designed to be easy to self-host with a reverse proxy terminating TLS

Use Cases

• Securely share a password or API key with a colleague in a way that cannot be retrieved repeatedly
• Transmit one-off tokens or credentials during onboarding or support interactions
• Automate ephemeral secret delivery in CI/CD or scripting workflows via the provided API

Limitations and Considerations

• Server compromise can expose the static AES key and database; protect the server and key material with proper filesystem permissions and backups
• Not intended as long-term secret storage or a full-featured vault; designed for ephemeral, single-use secrets
• SQLite back end and single-file storage are simple but may not scale for very high throughput or multi-node deployments
• Requires proper TLS termination (reverse proxy) and recommends disabling upstream access logging to avoid leaking metadata

FlashPaper is suitable when you need a simple, self-hosted way to exchange ephemeral secrets without a heavy infrastructure footprint. It emphasizes minimal setup, predictable behavior, and single-use secrecy for temporary secrets.