Stop Leaking Secrets: Why Devs Are Ditching Pastebin for Cryptgeon
What if I told you that every "private" note you've ever shared through a pastebin service was readable by someone else? That "confidential" API key you sent to your teammate. That database password you desperately needed to transfer. That sensitive log file you uploaded for debugging. All of it. Sitting on someone else's server, unencrypted, waiting to be leaked in the next data breach.
Here's the brutal truth: most developers treat secure sharing as an afterthought. We paste secrets into Slack. We email private keys. We use "private" pastebin services that store everything in plaintext on their servers. Then we act surprised when credentials show up on Have I Been Pwned.
But what if there was a tool designed from the ground up so that even the server itself cannot read your data? A tool where notes literally self-destruct after reading, leaving zero forensic trace? Enter cryptgeon โ the open-source, end-to-end encrypted sharing service that's making developers rethink everything they thought they knew about secure communication. Built in Rust and Svelte, inspired by PrivNote but engineered for the modern DevOps era, cryptgeon isn't just another pastebin alternative. It's a paradigm shift in how we think about ephemeral data sharing.
What is cryptgeon?
Cryptgeon is a secure, open-source note and file sharing service created by cupcakearmy and hosted at github.com/cupcakearmy/cryptgeon. Inspired by the popular PrivNote service, cryptgeon takes the concept of self-destructing messages and elevates it with modern cryptography, complete infrastructure transparency, and developer-first deployment options.
What makes cryptgeon genuinely different from the sea of "secure" sharing tools? True client-side encryption with zero server knowledge. The server never possesses the encryption key. It cannot decrypt contents even under legal coercion. It cannot accidentally leak what it cannot read. This isn't marketing fluff โ it's cryptographic architecture baked into every layer.
The project is written in Rust for the backend (performance, memory safety, fearless concurrency) and Svelte for the frontend (compiled, minimal JavaScript, exceptional reactivity). This technology stack isn't accidental. Rust's zero-cost abstractions and memory safety guarantees make it ideal for cryptographic operations where timing attacks and buffer overflows could compromise security. Svelte's compile-time optimization ensures the client-side encryption happens with minimal attack surface.
Cryptgeon is trending among privacy-conscious developers, self-hosting enthusiasts, and security teams who refuse to trust third-party SaaS with their most sensitive data. With Docker images pulling steadily, active Discord community, and even a Product Hunt feature, it's rapidly becoming the go-to solution for teams who need verifiable security, not just security theater.
Key Features That Make cryptgeon Insane
๐ True Client-Side Encryption with AES-GCM
Every note generates a 256-bit ID and 256-bit key. The ID retrieves the note; the key decrypts it. Encryption happens in your browser using AES in GCM mode before data ever touches the network. The server receives an opaque blob it cannot decipher. This is zero-knowledge architecture implemented correctly, not merely claimed in a privacy policy.
๐จ Ephemeral by Design โ No Persistence, No Recovery
Data lives exclusively in memory via Redis, configured with --save "" --appendonly no. No disk writes. No backups to subpoena. No logs to leak. When the memory clears, the data is cryptographically unrecoverable. For threat models involving legal compulsion or infrastructure compromise, this is transformative.
โฑ๏ธ Configurable View and Time Constraints
Set notes to expire after N views, N minutes, or both. Need a one-time password share? Single view, immediate destruction. Need a team standup link for 24 hours? Time-bounded with multiple views. The ALLOW_ADVANCED environment variable lets administrators restrict or permit these options organization-wide.
๐ Text and File Support
Share code snippets, configuration files, certificates, or binary artifacts up to your configured SIZE_LIMIT (default 1 KiB, maximum 512 MiB). The frontend transparently accounts for ~35% base64 encoding overhead, so users see realistic limits.
๐ Obligatory Dark Mode
Because any developer tool shipping without dark mode in 2024 would be professionally negligent. The UI is clean, minimal, and purpose-built for quick sharing without cognitive overhead.
๐ ๏ธ Multi-Interface Ecosystem
Web interface for casual use. CLI (npx cryptgeon) for automation and scripting. Raycast extension for power-user workflows. This isn't a toy project โ it's infrastructure with multiple access patterns.
Real-World Use Cases Where cryptgeon Shines
1. DevOps Secret Rotation and Emergency Access
Your production database master password needs to reach the on-call engineer. Slack DMs are logged. Email traverses multiple servers. A cryptgeon note with single-view constraint ensures the credential exists in exactly one place for exactly one retrieval, then evaporates. Audit trails show that access occurred, not what was accessed.
2. Security Researcher Vulnerability Disclosure
You've found a critical RCE in a vendor's product. Their HackerOne is unresponsive. You need to send proof-of-concept code and reproduction steps without creating a permanent record that could be FOIA'd or subpoenaed later. Cryptgeon's memory-only storage means even you cannot recover the note after sending โ plausible deniability meets responsible disclosure.
3. CI/CD Pipeline Artifact Sharing
Build pipelines generate sensitive artifacts: signed binaries, container image digests, SBOMs with vulnerability data. Rather than persisting these in artifact repositories with indefinite retention, cryptgeon enables time-bounded distribution to QA teams or release managers with automatic expiration.
4. Journalist-Source Communication
For developers building tools for investigative journalism, cryptgeon provides a self-hostable component in a broader secure communication stack. Sources can upload documents with view limits, journalists retrieve once, and no server operator can be compelled to produce what they never possessed.
5. Temporary API Key Distribution
Microservice architectures require frequent key rotation. Rather than baking secrets into configuration management with persistent state, services can generate temporary credentials shared via cryptgeon, consumed by dependent services, and automatically invalidated through expiration rather than explicit revocation.
Step-by-Step Installation & Setup Guide
Prerequisites
- Docker and Docker Compose (recommended)
- A server with HTTPS termination (required for Web Crypto API support)
- Basic understanding of reverse proxy configuration (NGINX, Traefik, or Caddy)
Docker Compose Deployment (Production-Ready)
Create a docker-compose.yml file:
# docker-compose.yml
version: '3.8'
services:
redis:
image: redis:7-alpine
# CRITICAL: This keeps Redis in RAM only, no disk persistence
# Without these flags, Redis would write to disk, creating recoverable data
command: redis-server --save "" --appendonly no
# tmpfs prevents anonymous volume creation and ensures pure memory storage
tmpfs:
- /data
# Optional: Set memory limits with eviction policy
# command: redis-server --save "" --appendonly no --maxmemory 1gb --maxmemory-policy allkeys-lru
restart: unless-stopped
app:
image: cupcakearmy/cryptgeon:latest
depends_on:
- redis
environment:
# Redis connection URL โ matches service name above
REDIS: redis://redis/
# Maximum single note size (includes ~35% encoding overhead)
SIZE_LIMIT: 4 MiB
# Maximum views allowed per note
MAX_VIEWS: 100
# Maximum expiration in minutes (6 hours default max)
MAX_EXPIRATION: 360
# Allow users to configure custom view/expiration settings
ALLOW_ADVANCED: "true"
# Enable file uploads (set to "false" for text-only instances)
ALLOW_FILES: "true"
# Verbosity: error, warn, info, debug, trace
VERBOSITY: warn
ports:
# Map host port 80 to container port 8000
- 80:8000
restart: unless-stopped
# Optional: Health check for orchestration platforms
# healthcheck:
# test: ["CMD", "curl", "--fail", "http://127.0.0.1:8000/api/live/"]
# interval: 1m
# timeout: 3s
# retries: 2
# start_period: 5s
Deploy with:
# Create the directory and compose file
mkdir cryptgeon && cd cryptgeon
# Paste the docker-compose.yml above, then:
docker compose up -d
# Verify services are healthy
docker compose ps
docker compose logs -f app
# Test the health endpoint
curl http://localhost/api/health/
# Expected: HTTP 200 when ready, 503 during startup
HTTPS Configuration (Required)
The Web Crypto API requires a secure context. Without HTTPS, crypto.subtle methods throw SecurityError.
Option A: NGINX Reverse Proxy
See examples/nginx in the repository for complete configurations including certificate paths and server names.
Option B: Traefik 2
See examples/traefik for Docker labels and middleware configuration.
Option C: Cloudflare Tunnel
For rapid deployment without certificate management:
# Install cloudflared
docker run --rm cloudflare/cloudflared:latest tunnel --no-autoupdate run --token YOUR_TOKEN
Development Environment Setup
For contributors or those customizing cryptgeon:
# Clone the repository
git clone https://github.com/cupcakearmy/cryptgeon.git
cd cryptgeon
# Install dependencies (requires pnpm >=9, node >=22, rust 2021 edition)
pnpm install
# Install cargo-watch for auto-recompilation during development
cargo install cargo-watch
# Start all services: redis, rust backend, svelte client, cli
pnpm run dev
# Access the application
open http://localhost:3000
The pnpm run dev command orchestrates four parallel processes via the root package.json, providing hot-reload for both frontend and backend modifications.
REAL Code Examples from the Repository
Example 1: CLI Quick Send
The simplest possible usage โ sending a secret note directly from terminal without touching the web interface:
# Send a text note instantly via npx โ no installation required
npx cryptgeon send text "This is a secret note"
What's happening under the hood: The CLI generates a 256-bit key locally, encrypts your message with AES-GCM in your terminal's Node.js process, transmits only the ciphertext to the cryptgeon server, and returns a shareable URL containing the ID and key as URL fragments (which never hit the server in HTTP requests). The recipient's browser performs identical client-side decryption using the key from the URL hash.
Practical pattern: Pipe command output directly into cryptgeon for secure log sharing:
# Share last 100 lines of error log with single-view destruction
journalctl -u myapp --lines=100 | npx cryptgeon send text --views 1 --expires 60
Example 2: Docker Compose Production Configuration
From the README's deployment section, this production-hardened variant with explicit security controls:
# docker-compose.yml โ Production variant with security annotations
version: '3.8'
services:
redis:
image: redis:7-alpine
# SECURITY: Explicitly disable all persistence mechanisms
# --save "" removes all RDB snapshot rules
# --appendonly no disables AOF logging
# Combined: Redis never writes note data to disk
command: redis-server --save "" --appendonly no
# SECURITY: tmpfs mount ensures /data is pure RAM filesystem
# Even if Redis misconfigured, no physical storage backing
tmpfs:
- /data
# PERFORMANCE: Optional memory limits prevent DoS from huge uploads
# Uncomment and adjust based on your infrastructure:
# command: redis-server --save "" --appendonly no --maxmemory 1gb --maxmemory-policy allkeys-lru
restart: unless-stopped
app:
image: cupcakearmy/cryptgeon:latest
depends_on:
- redis
environment:
# Connection to Redis service (Docker DNS resolution)
REDIS: redis://redis/
# SECURITY: Limit single note size to prevent memory exhaustion
# 4 MiB allows substantial code/config files while bounding impact
SIZE_LIMIT: 4 MiB
# POLICY: Maximum views prevents brute-force re-retrieval
MAX_VIEWS: 100
# POLICY: Maximum expiration bounds data lifetime
MAX_EXPIRATION: 360
# FEATURE GATE: Allow advanced settings (views, expiration customization)
# Set to "false" for strict one-view-only organizational policy
ALLOW_ADVANCED: "true"
# FEATURE GATE: Enable file uploads
# Set to "false" for text-only deployment (reduces attack surface)
ALLOW_FILES: "true"
ports:
- 80:8000
restart: unless-stopped
Critical security insight: The tmpfs mount combined with --save "" --appendonly no creates defense-in-depth. Even with Redis container compromise, grep through the filesystem reveals no note content. Forensic disk imaging of the host recovers nothing from Redis's /data directory.
Example 3: Environment Variable Customization for Theming
Enterprise deployments often require white-labeling. Cryptgeon exposes comprehensive theming without code modification:
# docker-compose.yml environment section for branded deployment
environment:
# Core functionality (shown previously)
REDIS: redis://redis/
SIZE_LIMIT: 4 MiB
# THEME: Replace default logo with organization branding
# Must be publicly reachable URL (served via HTTPS for CSP compliance)
THEME_IMAGE: "https://assets.mycompany.com/logo-dark.svg"
# THEME: Custom description below logo
THEME_TEXT: "Secure internal note sharing โ IT Security approved"
# THEME: Browser tab title and bookmark name
THEME_PAGE_TITLE: "MyCompany SecureShare"
# THEME: Custom favicon for browser chrome
THEME_FAVICON: "https://assets.mycompany.com/favicon.ico"
# UX: Disable the ephemeral storage notice for internal deployments
# where users already understand the memory-only architecture
THEME_NEW_NOTE_NOTICE: "false"
# COMPLIANCE: Link to legal imprint for regulatory requirements
# IMPRINT_URL takes precedence over IMPRINT_HTML
IMPRINT_URL: "https://mycompany.com/legal/imprint"
# Alternative: embed HTML directly (use only one)
# IMPRINT_HTML: "<p>MyCompany Inc. โ <a href='mailto:legal@mycompany.com'>Contact</a></p>"
Deployment pattern: For multi-tenant SaaS providers, run multiple cryptgeon instances with different THEME_* configurations behind path-based routing, offering branded secure sharing as a value-add service.
Example 4: End-to-End Testing with Playwright
From the development section, the testing infrastructure validates the entire encryption flow:
# Prepare test environment (installs browsers, builds application)
pnpm run test:prepare
# Run full test suite across all configured browsers
pnpm run test
# Rapid development iteration โ single browser, faster feedback
pnpm run test:local
The Playwright tests verify the complete cycle: note creation with client-side encryption, server storage of opaque ciphertext, retrieval with correct key, decryption in browser, and guaranteed deletion after view limit. The Postman collection supplements this with API-level testing for CI/CD integration.
Advanced Usage & Best Practices
๐ Threat Model Hardening
For maximum security, self-host on infrastructure you control with no logging reverse proxy. Cloudflare's "No Logs" mode, or direct TLS termination on the cryptgeon host. Remember: HTTPS protects in transit, but your proxy provider could log metadata. Metadata includes when notes were created and from where, even if not what they contain.
โก Redis Memory Optimization
Monitor used_memory and configure maxmemory with allkeys-lru eviction. Notes evicted by memory pressure are irrecoverably lost โ design your SIZE_LIMIT and MAX_EXPIRATION to prevent legitimate data loss while bounding resource consumption.
๐ High Availability Considerations
The README explicitly warns: multiple cryptgeon instances sharing one Redis encounter race conditions on view counting. For HA deployments, either accept potential over-delivery of views (often acceptable for low-sensitivity use), or architect with sticky sessions pinning users to single instances.
๐งช Pre-Deployment Validation
Always verify /api/health/ returns 200 before adding to load balancer rotation. The 503 response during startup prevents failed requests during deployment rollouts.
๐ Monitoring Integration
The VERBOSITY environment variable accepts standard Rust env_logger levels. For production, warn balances observability with performance. For debugging encryption failures, temporarily elevate to debug โ but never trace in production, as cryptographic operations could leak timing information through verbose logging.
Comparison with Alternatives
| Feature | cryptgeon | PrivNote | Standard Pastebin | 0bin | PrivateBin |
|---|---|---|---|---|---|
| Client-side encryption | โ AES-256-GCM | โ Claimed | โ None | โ | โ |
| Server cannot decrypt | โ Cryptographic | โ ๏ธ Unverifiable | โ Plaintext | โ | โ |
| Memory-only storage | โ Redis, no disk | โ Unknown | โ Persistent DB | โ Varies | โ Varies |
| Open source | โ Rust + Svelte | โ Proprietary | โ Proprietary | โ Python | โ PHP |
| Self-hostable | โ Docker, easy | โ No | โ No | โ Complex | โ Moderate |
| File sharing | โ Built-in | โ Text only | โ Unencrypted | โ Text only | โ Limited |
| CLI tool | โ
npx cryptgeon |
โ No | โ No | โ No | โ No |
| API/Automation | โ Full REST + Postman | โ Manual only | โ Limited | โ ๏ธ Partial | โ ๏ธ Partial |
| Modern tech stack | โ Rust 2021, Svelte | โ Unknown | โ Legacy | โ ๏ธ Python | โ ๏ธ PHP |
| Raycast integration | โ Official extension | โ No | โ No | โ No | โ No |
Why cryptgeon wins: The combination of verifiable zero-knowledge architecture, memory-only persistence, modern performance-oriented stack, and developer-experience features (CLI, Raycast, comprehensive Docker deployment) creates a tool that doesn't merely match alternatives but fundamentally redefines what's expected from secure sharing infrastructure.
FAQ
Is cryptgeon truly zero-knowledge? Can the server ever decrypt my notes?
No. The encryption key exists only in the URL fragment (after #) which browsers never send to servers. The server receives only the ciphertext and the note ID. Without the key, AES-256-GCM decryption is computationally infeasible. This is verifiable in the open-source client code.
What happens if Redis restarts? Do I lose all notes?
Yes โ by design. The redis-server --save "" --appendonly no configuration explicitly prevents persistence. This is a security feature, not a bug. If you require note recovery, cryptgeon's threat model doesn't match your use case; consider encrypted persistent storage instead.
Can I increase the maximum file size beyond 512 MiB?
No. The SIZE_LIMIT has a hard ceiling of 512 MiB to prevent memory exhaustion attacks. For larger transfers, cryptgeon isn't the appropriate tool โ use dedicated encrypted file transfer like Magic Wormhole or OnionShare.
Does cryptgeon work without HTTPS?
No, and this is non-negotiable. The Web Crypto API's crypto.subtle requires a secure context (HTTPS or localhost). HTTP deployments will fail with SecurityError during encryption operations. Use reverse proxy, Cloudflare Tunnel, or Tailscale for internal deployments without public certificates.
How do I back up or migrate my cryptgeon instance?
You don't โ and can't. The architecture intentionally prevents this. For configuration migration, version-control your docker-compose.yml and environment variables. Note data is inherently non-migratable by design.
Is there an API for programmatic integration?
Yes. The REST API powers the web interface, CLI, and Raycast extension. The Postman collection documents endpoints. For automation, the CLI (npx cryptgeon) provides the simplest integration path.
Can I restrict my instance to text-only, no file uploads?
Set ALLOW_FILES=false. All notes become text-only, reducing attack surface and simplifying compliance. Combine with ALLOW_ADVANCED=false for mandatory single-view, immediate-destruction policy.
Conclusion
We've been conditioned to accept that "private" sharing means "trust us, we won't look." Cryptgeon demolishes that assumption with cryptographic architecture where trust is mathematically unnecessary. When you self-host cryptgeon, you're not just running another service โ you're asserting control over your data's entire lifecycle, from creation through transmission to guaranteed destruction.
The Rust + Svelte stack delivers performance and security that legacy alternatives cannot match. The Docker deployment is genuinely production-ready in minutes, not hours. The CLI and Raycast integrations respect developer workflows. And the memory-only, zero-persistence design transforms a theoretical security property into an operational reality.
My take? After reviewing dozens of "secure" sharing tools, cryptgeon is the first that made me stop searching. It doesn't ask for trust โ it removes the need for it entirely. For teams handling credentials, security research, compliance-sensitive communications, or simply developers who refuse to accept "someone else's server" as an acceptable risk model, this is the tool.
Ready to stop leaking secrets? Deploy cryptgeon today: github.com/cupcakearmy/cryptgeon. The repository includes everything you need โ Docker Compose, NGINX and Traefik examples, development setup, and comprehensive documentation. Your future self โ the one who didn't have to explain a credential leak in a post-mortem โ will thank you.
