Zero-knowledge, client-side encrypted secret sharing.
This repository contains the security-critical source code for Secure Share by BytesBit.
When you paste a password, API key, or credential into Secure Share, you're trusting us with sensitive data. We believe that trust should be verifiable, not just claimed.
This repository publishes the exact source code that handles encryption, server communication, and data storage — so anyone can audit the zero-knowledge claims we make.
| File | Purpose |
|---|---|
src/crypto.ts |
All encryption & decryption logic (AES-256-GCM, PBKDF2) |
src/secure-share-api.ts |
Supabase API layer — what gets sent to the server |
schema/001_create_burn_messages.sql |
Database schema — what the server stores |
SECURITY.md |
Full architecture deep-dive |
THREAT_MODEL.md |
What-if scenarios and mitigations |
You type your secret
↓
Your browser generates an AES-256-GCM key ← client-side only
↓
Your browser encrypts the plaintext ← client-side only
↓
Only the ciphertext + IV are sent to the server ← server never sees the key
↓
The server returns a UUID
↓
Your browser builds the link:
https://bytesbit.app/secure-share#UUID:KEY
↑
URL fragment — never sent to server (RFC 3986 §3.5)
When the recipient opens the link:
- The server returns the ciphertext and atomically deletes it (single
DELETE...RETURNINGSQL statement) - The browser extracts the key from the
#fragment - The browser decrypts the ciphertext locally
- The plaintext is displayed — it never existed on the server
| Column | Contains | Can decrypt? |
|---|---|---|
id |
Random UUID | N/A |
ciphertext |
AES-256-GCM encrypted blob (base64) | ❌ No key |
iv |
Initialization vector (base64) | Useless alone |
salt |
PBKDF2 salt (if passphrase used) | Useless alone |
expires_at |
TTL timestamp | N/A |
The server never receives: the plaintext, the encryption key, the passphrase, or any sender metadata.
| Purpose | Algorithm | Parameters |
|---|---|---|
| Encryption | AES-256-GCM | 256-bit key, 96-bit IV |
| Key generation | crypto.subtle.generateKey() |
Exportable |
| Passphrase derivation | PBKDF2 | 600,000 iterations, SHA-256, 128-bit salt |
| Key encoding | Base64url | URL-safe, no padding |
The crypto module is a standalone TypeScript file with zero dependencies (uses only the browser's native Web Crypto API):
# Verify the encryption round-trip
npx tsx verify.ts- 🔒 Live app: bytesbit.app/secure-share
- 📖 Security architecture: SECURITY.md
- 🛡️ Threat model: THREAT_MODEL.md
- 📜 Privacy policy: bytesbit.app/privacy
If you discover a security vulnerability, please email security@bytesbit.app. We will respond within 48 hours.
MIT — see LICENSE.