ONETIME SECRET - v0.11.0 (2023-04-17)
Keep passwords and other sensitive information out of your inboxes and chat logs.
What is a Onetime Secret?
A one-time secret is a link that can be viewed only once. A single-use URL.
Why would I want to use it?
When you send people sensitive info like passwords and private links via email or chat, there are copies of that information stored in many places. If you use a one-time link instead, the information persists for a single viewing which means it can't be read by someone else later. This allows you to send sensitive information in a safe way knowing it's seen by one person only. Think of it like a self-destructing message.
How to install
System Requirements
- Ruby >=1.9.1+, <= 2.6.6
- Redis 2.6+
- One of:
- Docker Compose 2+
- Any recent Linux (we use Debian, Ubuntu, Alpine, Mint, etc)
Installation - Docker Compose
docker compose build app
docker compose up
open http://localhost:7143/
Installation - Manual
Debian
sudo apt-get update
sudo apt-get install build-essential
sudo apt-get install ntp libyaml-dev libevent-dev zlib1g zlib1g-dev openssl libssl-dev libxml2 libreadline-gplv2-dev
sudo apt-get install ruby redis ruby-bundler ruby-dev
mkdir ~/sources
CentOS
sudo yum install gcc gcc-c++ make libtool git ntp
sudo yum install openssl-devel readline-devel libevent-devel libyaml-devel zlib-devel
mkdir ~/sources
Install Onetime Secret
sudo adduser ots
sudo mkdir /etc/onetime
sudo chown ots /etc/onetime
sudo su - ots
git clone https://github.com/onetimesecret/onetimesecret.git
cd onetimesecret
bundle install --frozen
bin/ots init
sudo mkdir /var/log/onetime /var/run/onetime /var/lib/onetime
sudo chown ots /var/log/onetime /var/run/onetime /var/lib/onetime
mkdir /etc/onetime
cp -rp etc/* /etc/onetime/
chown -R ots /etc/onetime /var/lib/onetime
chmod -R o-rwx /etc/onetime /var/lib/onetime
Development
About git cloning
The instructions above suggest cloning via the https
URI. You can also clone using the SSH URI if you have a github account (which is generally more convenient, but specific to github).
With a github account
ssh -T git@github.com
Hi delano! You've successfully authenticated, but GitHub does not provide shell access.
Without a github account
ssh -T git@github.com
Warning: Permanently added the RSA host key for IP address '0.0.0.0/0' to the list of known hosts.
git@github.com: Permission denied (publickey).
NOTE: you can also use the etc directory from here instead of copying it to the system. Just be sure to secure the permissions on it
chown -R ots ./etc
chmod -R o-rwx ./etc
Update the configuration
/etc/onetime/config
- Update your secret key
- Store it in your password manager because it's included in the secret encryption
- Add or remove locales
- Update the SMTP or SendGrid credentials
- Update the from address
- it's used for all sent emails
- Update the the limits at the bottom of the file
- These numbers refer to the number of times each action can occur for unauthenticated users.
- If you would like to increase the limits for authenticated users too, see (lib/onetime.rb](https://github.com/onetimesecret/onetimesecret/blob/main/lib/onetime.rb#L261-L279)
/etc/onetime/redis.conf
- The host, port, and password need to match
/etc/onetime/locale/*
- Optionally you can customize the text used throughout the site and emails
- You can also edit the
:broadcast
string to display a brief message at the top of every page
Running
There are many way to run the webapp, just like any Rack-based app. The default web server we use is thin.
To run locally:
bundle exec thin -e dev -R config.ru -p 7143 start
To run on a server:
bundle exec thin -d -S /var/run/thin/thin.sock -l /var/log/thin/thin.log -P /var/run/thin/thin.pid -e prod -s 2 restart
To run with docker:
docker compose up
open http://localhost:3000/
Generating a global secret
We include a global secret in the encryption key so it needs to be long and secure. One approach for generating a secret:
dd if=/dev/urandom bs=20 count=1 | openssl sha256