SecretDrop
Features
Encryption
Policies
File Bundles
Analytics
Resources
Guide
Blog
Knowledge Base
Pricing About FAQ
Get Started

> SecretDrop

Encrypted file sharing for developers.

Share .env files, API keys, and configs through password-protected links or end-to-end encrypted direct transfers. Files are encrypted in your browser before upload.

AES-256-GCM encryption with PBKDF2 key derivation. The server never sees your plaintext data.

Get Started Free See how it works

Free tier available. No credit card required.

256-bit

AES-GCM encryption

Industry-standard authenticated encryption for file content and metadata.

600K

PBKDF2 iterations

Key derivation iterations for password-based encryption key generation.

0

Plaintext on server

Zero-knowledge architecture. The server never sees your unencrypted files or passwords.

90 days

Maximum TTL

Configurable time-to-live. Bundles are automatically deleted after expiry.

Coming Soon

Your workflow, supercharged

VS Code Extension

Soon

Encrypt and share secrets without leaving your editor.

CLI Tool

Soon

Pipe secrets through your terminal and CI/CD pipelines.

Sharing secrets is a solved problem

Developers still share .env files and API keys through Slack, email, and sticky notes. These channels were not built for sensitive data.

Secrets in Slack and email

API keys and .env files shared in plain text over channels that log, index, and persist everything.

No expiry or access control

Once shared, secrets live forever in chat history. No way to revoke access or know who downloaded them.

No audit trail

When a key leaks, there is no record of who accessed it, when, or how many times it was downloaded.

The solution

How SecretDrop solves this

Encrypt files in your browser, share a link, set an expiry. Recipients enter a password to decrypt. The server never sees your data.

  • Files encrypted in the browser before upload
  • Password-protected access with configurable expiry
  • Automatic deletion after TTL or download limit
  • Full access event log for every bundle
Encrypt Share Decrypt

Zero-knowledge architecture

The server stores only encrypted blobs and verification hashes. Decryption happens entirely in the recipient's browser.

Features

Built for sharing secrets

Everything you need to securely share sensitive files with developers, contractors, and team members.

Encryption

Client-side AES-256-GCM encryption

Files are encrypted in your browser using AES-256-GCM before upload. The server only stores encrypted blobs. Keys are derived from your password via PBKDF2 with 600,000 iterations.

Security

Password protection

Each bundle is locked with a password. The server stores only a verification hash, never the password or encryption key.

Policies

Configurable expiry

Set time-to-live from hours to 90 days. Bundles are automatically deleted after expiry. Premium users can set download limits and failed-attempt locking.

Access

Multi-file bundles

Share multiple files in a single encrypted bundle. Upload existing files or create new ones on the fly — paste .env content directly in the browser without locating the file on disk. File names are encrypted alongside content for complete metadata protection.

Analytics

Access event tracking

Premium users can monitor who accessed their bundles, when, and how many times. Every view, attempt, and download is logged.

E2E Encryption

PREMIUM

End-to-end encrypted direct transfer

Send files directly to registered users without passwords. Each recipient's files are encrypted with their public key using ECIES (ECDH + AES-256-GCM). Private keys never leave the browser unencrypted.

Pricing

Simple, transparent pricing

Start with the free tier. Upgrade when you need more bundles, larger files, or custom policies.

Free

Free

No credit card required

For individual use and quick secret sharing.

Get Started
  • 1 active bundle
  • 5 MB per file, 10 MB per bundle
  • 7-day automatic expiry
  • Client-side AES-256-GCM encryption
  • Password protection
  • Custom download limits
  • Failed-attempt locking
  • Access analytics
  • E2E Direct Transfer
Recommended

Premium

$6.58 /mo save 27%

$79 billed yearly

For teams and developers who share secrets regularly.

Upgrade
  • 25 active bundles
  • 50 MB per file, 100 MB per bundle
  • Up to 90-day TTL
  • Client-side AES-256-GCM encryption
  • Password protection
  • Custom download limits
  • Failed-attempt locking
  • Full access analytics
  • E2E Direct Transfer

Lifetime

$126 one-time

Pay once, use forever

Permanent Premium access with no recurring charges.

Buy Lifetime
  • 25 active bundles
  • 50 MB per file, 100 MB per bundle
  • Up to 90-day TTL
  • Client-side AES-256-GCM encryption
  • Password protection
  • Custom download limits
  • Failed-attempt locking
  • Full access analytics
  • E2E Direct Transfer

What You Get

  • Client-side encryption with AES-256-GCM
  • Password-protected bundles with configurable expiry
  • Automatic cleanup after TTL or download limits
  • Zero-knowledge architecture — the server cannot read your files

What You Do

  • Create a free account — no credit card required
  • Upload your files and set a password
  • Share the generated link with your recipient
  • They enter the password and download — done

Start sharing secrets securely

Create your first encrypted bundle in under a minute. Share via password-protected links or end-to-end encrypted direct transfers. Free tier available, no credit card required.

Get Started Free View pricing

How it works

Two ways to share securely

Choose password-protected links for anyone, or end-to-end encrypted direct transfer for registered users.

Upload or create files and set a password

Your Action

Select files from your device or create new ones on the fly by pasting content directly — perfect for .env files buried deep in repos. Set a password and configure expiry. Files are encrypted in your browser with AES-256-GCM before upload.

View details
  • Drag and drop, browse files, or create files inline by pasting content
  • Key derivation via PBKDF2 with 600,000 iterations
  • Encrypted blobs uploaded to storage — server never sees plaintext

Share the generated link

Your Action

Copy the bundle link and send it to your recipient through any channel — Slack, email, or a note. The link alone reveals nothing.

View details
  • Share the password through a separate channel for added security
  • Optionally set download limits or failed-attempt locking

Recipient enters password to access

Automated

The recipient opens the link, enters the password, and files are decrypted in their browser. No account required.

View details
  • Decryption happens entirely client-side
  • Access events are logged for the bundle owner
  • Bundle auto-expires after TTL or download limit

Select recipient by email

Your Action

Enter the recipient's email address. SecretDrop looks up their public encryption key automatically — no passwords to share.

View details
  • Recipient must have a SecretDrop account with encryption keys set up
  • Public keys are looked up securely — no sensitive data is exposed
  • Multiple recipients supported — each gets a uniquely encrypted copy

Files encrypted with recipient's public key

Automated

Your files are encrypted using ECIES (Elliptic Curve Integrated Encryption Scheme) with the recipient's public key. Each recipient gets a unique encrypted blob — only their private key can decrypt it.

View details
  • ECDH key agreement (P-256) with ephemeral keys for forward secrecy
  • AES-256-GCM encryption derived via HKDF from the shared secret
  • Sender signs the encrypted payload with ECDSA for authenticity

Recipient decrypts with their private key

Automated

The recipient logs into SecretDrop and finds the bundle in their inbox. Decryption happens entirely in the browser using their private key — the server never has access.

View details
  • Private keys are stored encrypted — never leave the browser unencrypted
  • Sender signature verified for authenticity
  • Bundle auto-expires after TTL

Our principles

Zero-knowledge architecture Client-side encryption Automatic expiry

Expected outcome

Your secrets are shared securely

Files are encrypted, access-controlled, and automatically deleted after expiry.

Use cases

Built for developer workflows

SecretDrop fits into the way developers already share files — but with encryption, expiry, and access control.

Backend Developer

Sharing .env files with contractors

Send environment configurations to freelancers and contractors without exposing credentials in Slack or email.

Credentials shared securely with automatic cleanup after the engagement ends

  • Set expiry to match the contract duration
  • Revoke access instantly when the project is done
DevOps Engineer

Distributing API keys to team members

Share API keys, service account credentials, and access tokens with new team members during onboarding.

New team members get credentials without them persisting in chat history

  • Set download limit to 1 for single-use delivery
  • Monitor access events to confirm receipt
Tech Lead

Sending configs to deployment pipelines

Securely transmit configuration files, certificates, and secrets needed for CI/CD pipeline setup.

Sensitive deployment configs never stored in plain text outside the pipeline

  • Bundle multiple config files in a single link
  • Auto-expire after the deployment window closes
Engineering Manager

Sharing credentials during onboarding

Provide new hires with database passwords, SSH keys, and service credentials on their first day without storing them in shared docs.

Onboarding credentials delivered securely and automatically cleaned up afterward

  • Set short expiry so credentials don't linger after setup
  • Track access to confirm the new hire received everything

Other use cases

SecretDrop works for any scenario where you need to share sensitive files with a link and a password.

Explore features View FAQ

Comparison

See the difference

Compare sharing secrets through everyday tools versus a purpose-built encrypted channel.

Without SecretDrop

  • API keys pasted in Slack channels that persist forever
  • .env files attached to emails with no access control
  • Secrets in shared Google Docs visible to anyone with the link
  • No way to know if credentials were forwarded or downloaded
  • Manual rotation after every offboarding or contractor change
Recommended

With SecretDrop

  • Files encrypted in the browser before leaving your device
  • Password-protected access with configurable expiry
  • Automatic deletion after TTL or download limit reached
  • Full access audit log — views, attempts, downloads
  • One-click revocation when access is no longer needed
  • E2E encrypted direct transfer — send to registered users without sharing a password

Why this matters

Exposed credentials are the leading cause of security breaches. The average cost of a data breach involving stolen credentials is significantly higher than other attack vectors.

Why not just use a password manager's sharing feature?

Password managers are built for credential storage, not file sharing. SecretDrop handles multi-file bundles with configurable policies, automatic expiry, and access analytics — without requiring the recipient to install anything or create an account.

  • No recipient account required — just a password and a link
  • Files encrypted client-side, not just in transit
  • Configurable policies: expiry, download limits, attempt locking
  • Open security model with documented encryption approach
  • E2E Direct Transfer for registered users — no passwords needed

Trust & Security

Security by design

SecretDrop is built around a documented security model. Here is how your data is protected.

Client-side encryption

Files are encrypted using AES-256-GCM in your browser before upload. The server receives only encrypted blobs — never plaintext.

PBKDF2 key derivation

Encryption keys are derived from your password using PBKDF2 with 600,000 iterations and SHA-256. Verification hashes use a separate derivation path.

ECIES end-to-end encryption

Direct Transfer uses ECDH (P-256) key agreement with ephemeral keys and HKDF-derived AES-256-GCM encryption. Private keys never leave your browser unencrypted.

Zero-knowledge architecture

The server stores verification hashes, not passwords or encryption keys. It cannot decrypt your files under any circumstances.

Recovery codes

Your private keys are protected by your password. If you lose access, recovery codes let you restore your encryption keys without compromising security.

Automatic expiry

Bundles are permanently deleted after their TTL expires. A cleanup job runs every 5 minutes to enforce this.

What happens if the server is compromised?

Even with full database access, an attacker cannot decrypt your files. The encryption key is derived from your password client-side and never leaves your browser. Only a verification hash — derived via a separate path — is sent to the server.

Encrypted blobs are useless without the password-derived key or recipient's private key
Private keys are encrypted before storage — never stored in plaintext on the server
Bundles auto-expire and encrypted data is permanently deleted

Resources

Learn more

Explore articles, guides, and resources to help you get started and succeed.

Security

How client-side encryption protects your shared files

An overview of SecretDrop's encryption model: AES-256-GCM, PBKDF2 key derivation, and the zero-knowledge architecture.

 Guide

Sharing .env files securely with your team

Step-by-step guide to creating an encrypted bundle, sharing the link, and managing access policies.

 Best Practices

Secret management best practices for developers

Common mistakes when sharing credentials and how to avoid them. Includes recommendations for key rotation and access control.

 Comparison

SecretDrop vs. password manager sharing features

How SecretDrop compares to 1Password, Bitwarden, and LastPass for sharing files and credentials with external parties.

Blog

Articles on encryption, secret management, and secure development workflows.

Documentation

Setup guides, API reference, and configuration instructions for SecretDrop.

Start sharing secrets securely. Password-protected links or E2E encrypted direct transfers in under a minute.

Get Started

FAQ

Frequently asked questions

Find answers to the most common questions about SecretDrop.

General

Common questions about SecretDrop.

What is SecretDrop?

SecretDrop is an encrypted file sharing tool for developers. It lets you share .env files, API keys, and configuration files through password-protected, expiring bundles. You can upload existing files or create new ones on the fly by pasting content directly in the browser. Files are encrypted in your browser before upload using AES-256-GCM.

Can you read my files?

No. Files are encrypted in your browser before being uploaded. The server only stores encrypted blobs and a password verification hash. The encryption key is derived from your password, which is never sent to or stored on the server.

Do recipients need an account?

No. Recipients only need the bundle link and the password. There is no sign-up, no app to install, and no account required to access shared files.

Security

How SecretDrop protects your data.

What encryption does SecretDrop use?

SecretDrop uses AES-256-GCM for file encryption and PBKDF2 with 600,000 iterations for key derivation. The encryption key and password verification hash use separate derivation paths, so the verification hash cannot be used to decrypt files.

What happens when a bundle expires?

Expired bundles are automatically marked as unavailable and their encrypted files are permanently deleted from storage. A cleanup job runs every 5 minutes to enforce TTL policies.

What if someone guesses the password?

Premium users can enable failed-attempt locking, which permanently locks the bundle after a configurable number of incorrect password attempts. Rate limiting also restricts password verification to 10 attempts per minute.

E2E Direct Transfer

Questions about end-to-end encrypted transfers.

What is E2E Direct Transfer?

E2E Direct Transfer lets you send encrypted files directly to a registered SecretDrop user by email. Files are encrypted in your browser using the recipient's public key (ECIES with P-256 ECDH and AES-256-GCM). Only the recipient's private key can decrypt them — no shared password required.

How is Direct Transfer different from password-protected bundles?

Password-protected bundles use a shared password for encryption and can be accessed by anyone with the link and password. Direct Transfer uses public-key cryptography — files are encrypted for a specific recipient and only they can decrypt them. Direct Transfer requires both sender and recipient to have SecretDrop accounts.

Where is my private key stored?

Your private key is encrypted with a passphrase derived from your account password (or a separate passphrase for OAuth users) and stored on the server in encrypted form. The server never has access to your unencrypted private key. During a session, decrypted keys are held in sessionStorage and cleared when you close the tab.

What happens if I lose my encryption passphrase?

During key pair setup, you receive 8 one-time recovery codes. Use any one of these codes to recover your encrypted private keys. Store your recovery codes in a password manager or other secure location — they are shown only once.

Can I send a Direct Transfer to someone who isn't registered?

No. Direct Transfer requires the recipient to have a SecretDrop account with a key pair. If the recipient is not registered, you will see a warning when entering their email. You can still use a password-protected bundle to share files with anyone.

Is Direct Transfer available on the free plan?

No. E2E Direct Transfer is a premium feature available on the Premium and Lifetime plans. The free tier supports password-protected bundles with client-side AES-256 encryption.

Pricing

Plans and billing details.

What is included in the free tier?

The free tier includes 1 active bundle, 5 MB per file (10 MB per bundle), and a fixed 7-day expiry. Client-side encryption, password protection, and inline file creation are included on all tiers.

What does Premium include?

Premium includes 25 active bundles, 50 MB per file (100 MB per bundle), configurable TTL up to 90 days, custom download limits, failed-attempt locking, and full access analytics. Available at $9/month, $79/year, or $126 lifetime.

Still have questions?

Can't find what you're looking for? We're here to help.

jovanovic@thecodecave.de

We typically respond within 24 hours.

Browse Knowledge Base