How It Works
SecretDropBox uses zero-knowledge encryption to ensure your secrets remain private
Client-Side Encryption
Your secrets are encrypted in your browser before being sent to our servers
- • AES-256-GCM encryption in your browser
- • Encryption key generated locally
- • We never see your unencrypted data
- • Uses Web Crypto API for security
Zero-Knowledge Architecture
The decryption key never leaves your device
- • Key stored in URL fragment (#)
- • Fragments are never sent to servers
- • Only you and the recipient have the key
- • Impossible for us to decrypt your secrets
One-Time Access
Secrets are automatically deleted after viewing
- • Deleted immediately after first view
- • No way to recover once viewed
- • Perfect forward secrecy
- • Links become invalid after use
Automatic Expiration
All secrets expire automatically for security
- • Maximum 7-day lifetime
- • Deleted even if never viewed
- • No permanent storage
- • Reduces attack surface
What We Store
Transparency about our data handling
✓ What we store:
- • Encrypted ciphertext (unreadable without your key)
- • Initialization vector (public, needed for decryption)
- • Expiration timestamp
- • Random secret ID
✗ What we never store:
- • Your original secret text
- • The decryption key
- • Your IP address or personal information
- • Any tracking cookies or analytics
Security Process
Step-by-step breakdown of how your secrets stay secure
1
You enter your secret
Type your password, API key, or sensitive message
2
Browser generates encryption key
A random 256-bit AES key is created in your browser
3
Secret is encrypted locally
Your secret is encrypted using AES-256-GCM in your browser
4
Encrypted data is stored
Only the encrypted ciphertext is sent to our servers
5
Secure link is generated
The decryption key is embedded in the URL fragment (#)
6
Recipient decrypts in browser
The secret is decrypted client-side and immediately deleted
Trust Through Transparency
Our zero-knowledge architecture means we literally cannot read your secrets, even if we wanted to. The encryption happens in your browser, and the decryption key never leaves your device.