What OneTimePaste is.
OneTimePaste is software that runs on a web server allowing you to send, securely, sensitive data that will be destroyed after it's been read.
Its purpose is achieved in two steps:
- Encrypting all traffic with you and your peer (by using https, and storing the message/file in encrypted form).
- Destroying the message/file you leave as soon as your peer reads it.
OneTimePaste permits sending usernames, passwords, short messages or files in a safer way than unencrypted mail, SMS, wassap,... Because you probably don't encrypt mail, do you? Any sensitive data on an email is as public as it gets. Just Google "NSA email", check EFF's site or search any newspaper.
How does it work?
Once you submit your data, it will be encrypted with a random key and stored in a database with a random identification. Then you'll get a link with both the key and the identification for the message. The key and the link are not stored in the server, so data cannot be unencrypted from the database if you do not have the link to it.
The first time the link is used, data is extracted from the database, unencrypted, presented to the visitor and deleted from the database. Leaving no trace of in the server or for future visitors.
Its secret: it's so small and simple, any (PHP) programmer could audit it.
Getting the software / Download
You should download the code and install it in a server you control. It requires PHP (>= 5.1.0) with mcrypt and mysql support.
Installation is pretty straightforward: uncompress (optionally create a database and configure it) and you're ready to go. There's a README file with the details.
I don't have a server of my own. Can I use OneTimePaste?
You may use someone else's instance of OneTimePaste, but you should trust her since you don't know what the software in her system is doing with your data.
If you're already using Facebook, Gmail, Wassap, PUT_YOUR_CLOUD_SERVICES_HERE, you are already quite OK with sharing sensitive data with people you don't know already :-)
I've got an own installation of OneTimePaste which I use with my friends and clients. Feel free to use it but read the warnings below before using it.
What you should NOT paste in my own installation.
You should not paste anything. You don't know me, you don't know what happens to the information you leave there. That's it.
But you can download the source code, read it a bit (it's short and simple) and run it on your server.
If you decide to use my site, I cannot guarantee what happens to your data, I take NO responsibility of it being delivered, stored, destroyed, changed!, etc.
I repeat, this service/software comes with NO WARRANTY AT ALL.
You should really run it on your server, not on someone else's.
How/when do I use OneTimePaste?
If you need to send something important, that only one other person must know. When you don't want something to remain unencrypted for ever in someone's email client or provider. I use it a lot to send usernames and/or passwords for email accounts, ftp/ssh logins, links to private sites, etc.
You should use it wisely. Don't store enough data in your message so it's useful for a possible attacker. For example:
DO NOT post:
And send the rest (non-sensitive) of the information over email (which I do not control, yet):
Your username is firstname.lastname@example.org and your email server is mail.example.com.
You can get your password at:
You'll get the URL after pasting her message/file at your OneTimePaste instance or in my own installation and it will be shown ONLY to the FIRST visitor.
After the first visit, the data will be ERASED from the system. So, if your peer is the first visitor, she gets her message/file safely. If someone gets there first, your peer will get a huge warning: YOUR DATA HAS BEEN ALREADY COLLECTED. And you both will know someone reads your mail. :-)
Copyright 2014 Alberto Gonzalez Iniesta <agi AT inittab.org>