Man, I would love a self-hosted version of this. I've worked at a lot of tiny startups and it often goes like this:
1. Sam needs to send some sensitive credentials to Alex
2. Well, we know we shouldn't use slack or email
3. We should probably use a shared password manager, but that'd be a much larger conversation with the whole dev team
4. There are a ton of options if I search "share secrets securely," but I'd have to dig into a few to figure out if I trust A. that company and B. their security model
5. Fuck it, just share it on slack, delete the message later, and hope for the best. We'll figure out a better solution "next time."
I'd love something simple and self-hosted that I could throw onto heroku, or deploy as a ready-made container, that'd provide one-time-use urls like this. It'd be a great way to have slightly better secret delivery over insecure channels (like slack) in the early days of an eng team before we get around to setting up a unified system for secret sharing. And easy self-hosting means we don't have to solve the trust problem every time.
We faced this ourselves countless times, and it is exactly why we created both OTS and Snip (https://github.com/sniptt-official/snip - like OTS but with the ability to persist secrets and also create shared vaults etc.).
Pleased to say that self-hosted options for both OTS and Snip are currently top of our roadmap.
I built this for my company. It’s create-react-app with Redis. Redis works great in this instance because it has built-in functionality for timed expiration (no cron needed). I use Node’s crypto to cipher it in the browser with a randomly generated short passphrase, generate a random ID, insert the ciphered message into the DB with the aforementioned ID, and then use the ID and passphrase to build a URL (passphrase as fragment) that is given to the user to share.
Both S/MIME (encrypted email) and OMEMO (signal style encrypted IM for XMPP with keys generated and verified client side) have been around for quite a while. That your organization doesn't have one of these is a complete failure of whoever is running IT.
For the last couple of years my org has been self-hosting Yopass https://github.com/jhaals/yopass. We use it to share secrets (with one time URLs) with each other.
Create a GPG key and encrypt / decrypt your messages.
It takes about 10 minutes once to set up your key and then it's easy to send and receive encrypted messages with no central server since you could send the encrypted text over whatever transport mechanism you prefer (gist, email, etc.).
We kinda did this with the snip cli (which is one of our other repos besides the ots cli). It's basically a wrapper around PGP with some additional features like vaults to facilitate sharing PGP encrypted secrets with a team. And... It takes less than 10 minutes to set up :P
1. Sam needs to send some sensitive credentials to Alex
2. Well, we know we shouldn't use slack or email
3. We should probably use a shared password manager, but that'd be a much larger conversation with the whole dev team
4. There are a ton of options if I search "share secrets securely," but I'd have to dig into a few to figure out if I trust A. that company and B. their security model
5. Fuck it, just share it on slack, delete the message later, and hope for the best. We'll figure out a better solution "next time."
I'd love something simple and self-hosted that I could throw onto heroku, or deploy as a ready-made container, that'd provide one-time-use urls like this. It'd be a great way to have slightly better secret delivery over insecure channels (like slack) in the early days of an eng team before we get around to setting up a unified system for secret sharing. And easy self-hosting means we don't have to solve the trust problem every time.