This page allows you to share a secret through a secret sharing link.
The secret is stored in the secret sharing link and not on the server.
A secret sharing link can only be used once.
This secret sharing service is based on AES and RSA encryption. When creating a new secret sharing link, a random key is generated which is used to encrypt the secret using AES. The key itself is then encrypted using RSA. The result of the encryption is URL-safe Base64 encoded and prepended with the URL of this website. When the secret sharing link is called, the URL-safe Base64 encoded message is decrypted and the result of the decryption is displayed on the website. Additionally, the fingerprint of the encrypted message is stored in a database to prevent it from being displayed more than once.
First of all you have to retrieve the correct public key to encrypt your secret:
wget -O "./secrets.pub" "https://secret.hbz-nrw.de/pub?plain"
To create a secret sharing link you have to do certain steps that are decribed here:
All of these steps can be executed using a single shell command:
MESSAGE="message to encrypt" && RSAKEYFILE="./secrets.pub" && URLPREFIX="https://secret.hbz-nrw.de/" && RSAKEYCOUNT="0001" && VERSION="01" && NONCE=$(printf "%016x0000000000000000" "$(date +%s)") && KEY=$(openssl rand -hex 32) && ENCKEY=$(echo -n "enc" | openssl dgst -sha256 -mac "HMAC" -macopt "hexkey:$KEY" -binary | xxd -p | tr -d "\n") && MACKEY=$(echo -n "mac" | openssl dgst -sha256 -mac "HMAC" -macopt "hexkey:$KEY" -binary | xxd -p | tr -d "\n") && RSAKEY=$(echo -n "$KEY" | xxd -r -p | openssl rsautl -encrypt -oaep -pubin -inkey "$RSAKEYFILE" -keyform PEM | xxd -p | tr -d "\n") && RSAKEYID=$(openssl rsa -pubin -in "$RSAKEYFILE" -pubout -outform DER 2>/dev/null | openssl dgst -sha256 -binary | xxd -p | tr -d "\n") && RSAKEYLENGTH=$(echo -n "$RSAKEY" | xxd -r -p | wc -c) && RSAKEYLENGTH=$(printf "%04x" "$RSAKEYLENGTH") && ENCMESSAGE=$(echo -n "$MESSAGE" | openssl enc -aes-256-ctr -K "$ENCKEY" -iv "$NONCE" -nopad | xxd -p | tr -d "\n") && MACMESSAGE="$VERSION$RSAKEYCOUNT$RSAKEYID$RSAKEYLENGTH$RSAKEY$NONCE$ENCMESSAGE" && MAC=$(echo -n "$MACMESSAGE" | xxd -r -p | openssl dgst -sha256 -mac "HMAC" -macopt "hexkey:$MACKEY" -binary | xxd -p | tr -d "\n") && FULLMESSAGE="$MACMESSAGE$MAC" && OUTPUT=$(echo -n "$FULLMESSAGE" | xxd -r -p | openssl base64 | tr "+" "-" | tr "/" "_" | tr "\n" "/" | tr -d "=") && OUTPUT="$URLPREFIX$OUTPUT" && echo "$OUTPUT"
...just use the secret sharing form we provide for your convenience.
When using the password-protection feature, the secret is encrypted locally in your browser using AES-256-CTR. The encryption key is derived from the entered password and a dynamically generated salt using the PBKDF2-SHA-256 algorithm. The password-protection feature is implemented using client-side JavaScript. Please beware that a compromised server may serve you JavaScript code that defeats the purpose of the local encryption. If you do not trust the server that provides the secret sharing service, then encrypt your secret with a locally installed application before sharing it.
You can use the following shell command to encrypt a message and be compatible with the browser-based encryption. You will need the additional tool nettle-pbkdf2 for this:
MESSAGE="message to encrypt" && PASSWORD="password" && VERSION="00" && NONCE=$(printf "%016x0000000000000000" "$(date +%s)") && SALT=$(openssl rand -hex 32) && KEY=$(echo -n "$PASSWORD" | nettle-pbkdf2 -i 512000 -l 32 --raw --hex-salt "$SALT" | xxd -p | tr -d "\n") && ENCKEY=$(echo -n "enc" | openssl dgst -sha256 -mac "HMAC" -macopt "hexkey:$KEY" -binary | xxd -p | tr -d "\n") && MACKEY=$(echo -n "mac" | openssl dgst -sha256 -mac "HMAC" -macopt "hexkey:$KEY" -binary | xxd -p | tr -d "\n") && ENCMESSAGE=$(echo -n "$MESSAGE" | openssl enc -aes-256-ctr -K "$ENCKEY" -iv "$NONCE" -nopad | xxd -p | tr -d "\n") && MACMESSAGE="$VERSION$SALT$NONCE$ENCMESSAGE" && MAC=$(echo -n "$MACMESSAGE" | xxd -r -p | openssl dgst -sha256 -mac "HMAC" -macopt "hexkey:$MACKEY" -binary | xxd -p | tr -d "\n") && FULLMESSAGE="$MACMESSAGE$MAC" && OUTPUT=$(echo -n "$FULLMESSAGE" | xxd -r -p | openssl base64 | tr -d "\n") && echo "$OUTPUT"