How SecureShare Works

Understanding the technology that keeps your secrets safe

🔒 The Encryption Process

Step 1: Client-Side Encryption

When you create a secret, your data is encrypted in your browser using AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode). This is the same encryption standard used by governments and militaries worldwide.

  • A random 256-bit encryption key is generated
  • Your message or file is encrypted using this key
  • The encrypted data is sent to our servers

Step 2: Zero-Knowledge Storage

Our servers receive and store only the encrypted data. The encryption key remains in your browser and is embedded in the URL fragment (the part after #).

  • URL fragments are never sent to servers
  • We cannot decrypt your secrets
  • Your data is protected even if our servers are compromised

Step 3: Secure Sharing

You receive a unique link containing both the secret ID and the encryption key. When you share this link, the recipient can decrypt the secret using the key embedded in the URL.

  • Each secret has a unique cryptographic key
  • Keys are 64 hexadecimal characters (256 bits)
  • Links can be protected with an additional password

Step 4: Self-Destruction

After the secret is viewed or the expiration time is reached, it's permanently deleted from our servers. No traces remain.

  • Automatic deletion after first view (if enabled)
  • Time-based expiration (5 minutes to 7 days)
  • View count limits (1-10 views)

🛡️ Security Features Explained

  • AES-256-GCM Encryption: Military-grade encryption that's computationally infeasible to break with current technology
  • Authentication Tags: GCM mode provides both encryption and authentication, preventing tampering
  • Random Initialization Vectors: Each encryption uses a unique IV to ensure identical messages produce different ciphertexts
  • bcrypt Password Hashing: Optional passwords are hashed using bcrypt with 10 rounds for maximum security
  • Secure Random Generation: Cryptographically secure random number generators for all keys and IVs

🔍 What We Store vs. What We Don't

✅ We Store

  • Encrypted content
  • Initialization vector (IV)
  • Authentication tag
  • Password hash (if set)
  • Metadata (expiry, views)

❌ We Don't Store

  • Encryption keys
  • Plain text content
  • Your passwords
  • IP addresses
  • Personal information

💡 Technical Details

Encryption Algorithm

Algorithm: AES-256-GCM
Key Size: 256 bits (32 bytes)
IV Size: 128 bits (16 bytes)
Tag Size: 128 bits (16 bytes)
Library: Node.js crypto module

URL Structure

https://supersecret-link.vercel.app/s/[SECRET_ID]#[ENCRYPTION_KEY]
                              ↑              ↑
                        Stored on server   Never sent to server

❓ Common Questions

Can you read my secrets?

No. The encryption key never reaches our servers, making it cryptographically impossible for us to decrypt your content.

What if someone intercepts the link?

Anyone with the full link can decrypt the secret. Use password protection for sensitive data and share links through secure channels. Enable "burn after read" to ensure single-use access.

Is this really secure?

Yes. AES-256-GCM is considered unbreakable with current technology. The zero-knowledge architecture means your data is protected even if our infrastructure is compromised. However, security also depends on how you share the links.