Open-Source Zero-Knowledge Secure Drop Box & Stealth Chat
π Live Demo Β· π Install Β· π‘οΈ Security Β· π Protocol
In an era where every written word settles forever on corporate servers, we brought back the magic of secret letters that turn to ash.
SmoldPaper is a free, self-hosted, client-side encrypted platform for exchanging sensitive information. It allows two parties to communicate across compromised or monitored channels β like Telegram, WhatsApp, or Discord β without leaving a single trace on the server.
No accounts. No logs. No cookies. No trace.
The server is mathematically blind. Even if seized by authorities, it contains only cryptographic noise indistinguishable from random data.
We destroyed the old complex architecture. SmoldPaper is now an elegantly simple 3-file solution:
| File | Purpose |
|---|---|
index.html |
The entire frontend β UI, encryption engine, 5 languages |
api.php |
The entire backend β API, database, cleanup, rate limiting |
admin.php |
Hidden admin panel for customization |
No Node.js. No Docker. No npm. No build tools. No dependency hell. Just drop three files on any $2/month PHP hosting and you're protected.
Write a secret note, encrypt it with a password, get a link. The note is physically erased from the server the exact millisecond it's opened. Or set a timer: 1h, 6h, 12h, 24h.
1.en_smaller.mp4
Create an encrypted room, get an invite link, send it to someone. They enter the shared password β you both chat with E2E encryption. Once two people are in, the room is sealed forever β nobody else can join, even with the link. When you're done, it self-destructs. The old link becomes a dead end.
2.en_smaller.mp4
The most advanced mode β designed for hostile environments. You agree on a password and a code word with your contact. Then you chat normally in any messenger. When the code word appears in a message β that entire message becomes the key to a hidden encrypted room in SmoldPaper. To any outside observer, nothing unusual happened.
3.en_smaller.mp4
Full localization: English, Π ΡΡΡΠΊΠΈΠΉ, Deutsch, FranΓ§ais, EspaΓ±ol. Every screen, every button, every instruction β professionally translated. Built-in demo videos switch automatically per language.
Warm dark theme, light theme, adjustable font sizes, notification sounds. Mobile-first responsive design. PWA support β install as an app on your phone.
A unique visual fingerprint (Color Β· Animal Β· Object) derived from the room hash. Both participants see the same code β if it doesn't match, someone is intercepting.
Hidden admin panel (admin.php?manage=1) to customize all UI texts, translations, video embeds, and the admin password. No database editing required.
Each feature has an embedded video tutorial right in the interface. Videos switch automatically based on the selected language. Supports local MP4 files, YouTube (via privacy-enhanced youtube-nocookie.com), and Vimeo (with dnt=1 β Do Not Track). Even the video embeds respect your privacy.
This is what makes SmoldPaper unique. It's not just a tool β it's a communication protocol designed for hostile environments.
Agree with your contact on two things: a shared password and a code word. Do this in person or through a channel you trust. This only needs to happen once.
Chat normally on WhatsApp, Telegram, Signal β wherever. When you need to start a secret conversation, send a message containing the code word. For example:
"Buddy, take a look at the report when you can."
The code word tells your contact: "this entire message is the key."
Your contact sees the code word β copies the entire message β opens SmoldPaper β pastes it as the stealth phrase β enters the shared password β both of you are in the same encrypted room.
Communicate securely. When you're done, the room burns without a trace. π₯
To any outside observer, you were just chatting about everyday things. The secret conversation happened in a place that no longer exists.
Your Password
β
βΌ
βββββββββββββββββββββββββββ
β PBKDF2 (SHA-256) β
β 50,000 iterations β
β + random 128-bit salt β
β β β
β βΌ β
β 256-bit AES Key β
βββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββ
β AES-256-GCM Encrypt β
β + random 96-bit IV β
β β β
β βΌ β
β Salt + IV + Ciphertext β
β (Base64 encoded) β
βββββββββββββββββββββββββββ
β
βΌ
Server receives ONLY this
(indistinguishable from noise)
Key points:
- 50,000 PBKDF2 iterations β even a supercomputer needs centuries to brute-force a decent password
- Random salt per message β identical passwords produce different ciphertexts
- AES-GCM authenticated encryption β detects any tampering
- The server never sees the password β decryption happens exclusively in the recipient's browser
- Web Crypto API β uses the browser's native, audited cryptographic engine (no JavaScript crypto libraries)
- Any web server with PHP 7.4+ (Apache, Nginx, LiteSpeed)
- PDO SQLite extension (enabled by default on 99% of hosts)
- That's it. Seriously.
- Download the latest release
- Upload
index.html,api.php,admin.php,manifest.json, andfavicon.svgto your web server - Open your domain in the browser
- Done. π
On first run, api.php automatically:
- Creates a secure
/datadirectory - Initializes the
smoldpaper.sqlitedatabase (WAL mode, optimized) - Configures
.htaccessto block direct database access - Sets up rate limiting storage
SmoldPaper includes built-in video tutorials that appear inside the "How to use" sections. To enable them:
- Download the video pack from the latest release assets
- Place the MP4 files in the same directory as
index.html - Videos are available in English and Russian. The app automatically shows the correct language version
File names expected by default:
- English:
1 en_smaller.mp4,2 en_smaller.mp4,3 en_smaller.mp4 - Russian:
1 ru_smaller.mp4,2 ru_smaller.mp4,3 ru_smaller.mp4
You can change video URLs per language via the Admin Panel, including YouTube and Vimeo links.
Access the hidden Admin Panel:
- Navigate to
yourdomain.com/admin.php?manage=1 - Default password:
smoldpaper β οΈ Change this immediately after first login!
The panel allows you to:
- Edit all interface texts in all 5 languages
- Set video/GIF URLs for each language and feature
- Change the admin password
Without ?manage=1, the admin page returns a convincing 404.
| Layer | Implementation |
|---|---|
| Encryption | AES-256-GCM (Web Crypto API) |
| Key Derivation | PBKDF2-SHA256, 50,000 iterations |
| Data at Rest | Only ciphertext stored (zero-knowledge) |
| Deletion | Hard DELETE SQL β no soft-deletes, no recovery |
| Transport | HTTPS (your server's TLS) |
| MITM Detection | Visual hash fingerprinting (Color Β· Animal Β· Object) |
| XSS Protection | DOM-based sanitization of all rendered Markdown |
| Race Conditions | Atomic SQLite transactions (BEGIN IMMEDIATE) |
| Rate Limiting | 120 req/min per IP, file-based, no Redis needed |
| Admin Access | bcrypt password hashing, hidden endpoint |
| Session Recovery | sessionStorage for chat key (survives page refresh, cleared on tab close) |
| Video Embeds | YouTube via youtube-nocookie.com, Vimeo with dnt=1 |
| External Calls | Zero. Markdown parser (marked.js) is bundled inline |
- β Store passwords or encryption keys
- β Use cookies or tracking
- β Log IP addresses
- β Keep any record of destroyed messages
- β Phone home to any external server
- β Load any external resources
- π¬ Built-in video guides: MP4, YouTube (nocookie), Vimeo (DNT) support per language
- π‘οΈ Rate limiting: 120 req/min per IP, file-based
- π OG meta tags & Twitter Cards: rich link previews when sharing
- π± PWA manifest: installable as a mobile app
- π¦ Marked.js bundled inline: zero external CDN calls, 100% autonomous
- π Session recovery: chat key survives page refresh via sessionStorage
- π Character counter for notes with size warning
- π¨ Refined light theme: warm cream palette with proper contrast
- π Note textarea: 300px min height, auto-expand, resizable
- π₯ Styled destruction message: highlighted yellow banner, impossible to miss
- π£οΈ All code comments in English for international contributors
- π¬ Quick Chat: invite-link-based E2E encrypted chat rooms
- π Rooms sealed at 2 participants β third person sees "expired"
- πͺ¦ Dead rooms persist 24h as decoys, then auto-cleanup
- π Visual hash verification for Quick Chat rooms
- π Quick Chat translations for all 5 languages
- π± Mobile-optimized tabs for 3-tab layout
- π‘οΈ DOM-based XSS sanitization for Markdown
- π Atomic room creation with
BEGIN IMMEDIATE - β Server-side sender validation
- π Full professional translations for all 5 languages
- β¨ Rewritten "About" page across all languages
- π·οΈ New tagline: "Privacy is a Right."
- Eliminated entire Node.js/NPM build system
- Reduced to 3 files:
index.html,api.php,admin.php - Added Stealth Chat with real-time E2E encryption
- Added admin panel with multi-language text editor
- Added visual hash anti-MITM system
We share this app for free with everyone in the world because every person has the right to privacy.
This app will protect many from persecution and may even save someone's life.
Maintaining servers and development requires funding:
| Currency | Address |
|---|---|
| Bitcoin | bc1qxdnfjakd89qrz59cr702pt70n0wtapkcrmtnyk |
| USDT (TRC-20) / TRX | TYqAdNNvvwzNT7LUkGCh8sZLjNQNza3NDd |
| Monero | 87ZQda7hirZWdmrTCBSF8GVewZ4eh8mKeRdADLDTvmZbSPe8W7zukVZKf2UEWCxBveXh8zGGyDVJBdVugY1T8LA9PvXD3CF |
| ETH / BNB (BSC) | 0xeAe930F5B6863Aec4a98b25e346beE20723A7F96 |
| Litecoin | ltc1qr62jmk9h5wnc0ptvvqcjmw8zxfuthhlqu6h30r |
| TON | UQApKqtdQ2vlab-CvRGJve_jlNVqkf_g-mngpKMS34Ga85RT |
| Dogecoin | D9j8yZyiNztiLZMZ8SSQmqgd53VfEcyJFp |
The development of this project depends entirely on you!
Share the link with your friends and the whole world so people always have the ability to communicate confidentially β even where it seems impossible at first glance.
β Star this repo β it costs nothing and helps others discover SmoldPaper.
This service is provided "as is". The owner assumes no liability. Using this service for illegal activities is strictly prohibited. Designed exclusively for privacy and free speech.
MIT License. Copyright (c) 2025β2026 SmoldPaper Contributors.
Built with paranoia and love.