I run a small dev agency in Germany. Every week someone shares database credentials, API keys, or a .env file via Slack or email. Not because they don’t care: because there’s no frictionless alternative.
Vault setups are heavy. Enterprise tools are expensive. I just needed: upload → share link → done. But encrypted before leaving the browser.
So I built SecretDrop.dev.
What it does
Files encrypted client-side (AES-256-GCM, PBKDF2 600k iterations)
Built entirely on WebCrypto
No third-party crypto libraries
Server stores only encrypted blobs
Recipient decrypts in their browser
No account required (password mode)
The server cannot read files, filenames, or passwords.
Premium mode
Encrypt with recipient’s public key (ECIES)
No shared password
Digital signature verifies sender identity
Only intended recipient can decrypt
Why
The real competitor isn’t Vault. It’s “paste in Slack.”
I optimized for:
Zero setup
Dev workflow simplicity
Default secure behavior
Free tier includes encrypted password-protected sharing. No credit card.
I’m exploring:
VSCode extension (right-click .env → share)
CLI tool (secretdrop share .env --expires 24h)
Would this fit your workflow? Any concerns about the crypto model or threat assumptions?
Happy to go deep on the architecture.
Kinrany•1h ago
If you're going to send the link and the password over Slack together, how would that be better than sending directly?
AleksDoesCode•1h ago
You are right, if you share the link and the password via the same (possibly compromised) channel, you are still at risk.
It is still mostly fine if you set the self-destruct to 1 successful download and your coworker acts within minutes.
It would be better if you verbally communicate the password in a e.g. a stand up call ("Guys, password is <InsertProjectName>+<CoworkerName>").
Second best would be 2 different channels Link per Slack Password per SMS
Best option: Just tell your coworker to setup an account himself and send him a direct transfer. End2End encrypted, asymmetricaly using his public key.