> SecretDrop

Encrypted file sharing for developers.

Share .env files, API keys, and configs through password-protected, expiring bundles. Files are encrypted in your browser before upload.

AES-256-GCM encryption with PBKDF2 key derivation. The server never sees your plaintext data.

Get Started Free See how it works

Free tier available. No credit card required.

Step 1

client-side

Upload and encrypt

Select files and set a password. Encryption happens in your browser before anything leaves your device.

Step 2

zero-knowledge

Share the link

Send the generated link to your recipient through any channel. The link alone reveals nothing.

Step 3

no account needed

Recipient decrypts

They enter the password, files are decrypted in their browser, and downloaded directly.

256-bit

AES-GCM encryption

Industry-standard authenticated encryption for file content and metadata.

600K

PBKDF2 iterations

Key derivation iterations for password-based encryption key generation.

Plaintext on server

Zero-knowledge architecture. The server never sees your unencrypted files or passwords.

90 days

Maximum TTL

Configurable time-to-live. Bundles are automatically deleted after expiry.

Coming Soon

Your workflow, supercharged

VS Code Extension

Soon

Encrypt and share secrets without leaving your editor.

CLI Tool

Soon

Pipe secrets through your terminal and CI/CD pipelines.

Sharing secrets is a solved problem

Developers still share .env files and API keys through Slack, email, and sticky notes. These channels were not built for sensitive data.

Secrets in Slack and email

API keys and .env files shared in plain text over channels that log, index, and persist everything.

No expiry or access control

Once shared, secrets live forever in chat history. No way to revoke access or know who downloaded them.

No audit trail

When a key leaks, there is no record of who accessed it, when, or how many times it was downloaded.

The solution

How SecretDrop solves this

Encrypt files in your browser, share a link, set an expiry. Recipients enter a password to decrypt. The server never sees your data.

Files encrypted in the browser before upload
Password-protected access with configurable expiry
Automatic deletion after TTL or download limit
Full access event log for every bundle

Encrypt Share Decrypt

Zero-knowledge architecture

The server stores only encrypted blobs and verification hashes. Decryption happens entirely in the recipient's browser.

Features

Built for sharing secrets

Everything you need to securely share sensitive files with developers, contractors, and team members.

Encryption

Client-side AES-256-GCM encryption

Files are encrypted in your browser using AES-256-GCM before upload. The server only stores encrypted blobs. Keys are derived from your password via PBKDF2 with 600,000 iterations.

Security

Password protection

Each bundle is locked with a password. The server stores only a verification hash, never the password or encryption key.

Policies

Configurable expiry

Set time-to-live from hours to 90 days. Bundles are automatically deleted after expiry. Premium users can set download limits and failed-attempt locking.

Access

Multi-file bundles

Share multiple files in a single encrypted bundle. File names are encrypted alongside content for complete metadata protection.

Analytics

Access event tracking

Premium users can monitor who accessed their bundles, when, and how many times. Every view, attempt, and download is logged.

Pricing

Simple, transparent pricing

Start with the free tier. Upgrade when you need more bundles, larger files, or custom policies.

Free

No credit card required

For individual use and quick secret sharing.

Get Started

1 active bundle
5 MB per file, 10 MB per bundle
7-day automatic expiry
Client-side AES-256-GCM encryption
Password protection
Custom download limits
Failed-attempt locking
Access analytics

Recommended

Premium

$6.58 /mo save 27%

$79 billed yearly

For teams and developers who share secrets regularly.

Upgrade

25 active bundles
50 MB per file, 100 MB per bundle
Up to 90-day TTL
Client-side AES-256-GCM encryption
Password protection
Custom download limits
Failed-attempt locking
Full access analytics

Lifetime

$126 one-time

Pay once, use forever

Permanent Premium access with no recurring charges.

Buy Lifetime

25 active bundles
50 MB per file, 100 MB per bundle
Up to 90-day TTL
Client-side AES-256-GCM encryption
Password protection
Custom download limits
Failed-attempt locking
Full access analytics

What You Get

Client-side encryption with AES-256-GCM
Password-protected bundles with configurable expiry
Automatic cleanup after TTL or download limits
Zero-knowledge architecture — the server cannot read your files

What You Do

Create a free account — no credit card required
Upload your files and set a password
Share the generated link with your recipient
They enter the password and download — done

Start sharing secrets securely

Create your first encrypted bundle in under a minute. Free tier available, no credit card required.

Get Started Free View pricing

How it works

Get started in three steps

From file selection to secure delivery in under a minute.

Upload files and set a password

Your Action

Select the files you want to share, set a password, and configure expiry. Files are encrypted in your browser with AES-256-GCM before upload.

View details

Drag and drop or select files from your device
Key derivation via PBKDF2 with 600,000 iterations
Encrypted blobs uploaded to storage — server never sees plaintext

Share the generated link

Your Action

Copy the bundle link and send it to your recipient through any channel — Slack, email, or a note. The link alone reveals nothing.

View details

Share the password through a separate channel for added security
Optionally set download limits or failed-attempt locking

Recipient enters password to access

Automated

The recipient opens the link, enters the password, and files are decrypted in their browser. No account required.

View details

Decryption happens entirely client-side
Access events are logged for the bundle owner
Bundle auto-expires after TTL or download limit

Our principles

Zero-knowledge architecture Client-side encryption Automatic expiry

Expected outcome

Your secrets are shared securely

Files are encrypted, access-controlled, and automatically deleted after expiry.

Use cases

Built for developer workflows

SecretDrop fits into the way developers already share files — but with encryption, expiry, and access control.

Backend Developer

Sharing .env files with contractors

Send environment configurations to freelancers and contractors without exposing credentials in Slack or email.

Credentials shared securely with automatic cleanup after the engagement ends

Set expiry to match the contract duration
Revoke access instantly when the project is done

DevOps Engineer

Distributing API keys to team members

Share API keys, service account credentials, and access tokens with new team members during onboarding.

New team members get credentials without them persisting in chat history

Set download limit to 1 for single-use delivery
Monitor access events to confirm receipt

Tech Lead

Sending configs to deployment pipelines

Securely transmit configuration files, certificates, and secrets needed for CI/CD pipeline setup.

Sensitive deployment configs never stored in plain text outside the pipeline

Bundle multiple config files in a single link
Auto-expire after the deployment window closes

Engineering Manager

Sharing credentials during onboarding

Provide new hires with database passwords, SSH keys, and service credentials on their first day without storing them in shared docs.

Onboarding credentials delivered securely and automatically cleaned up afterward

Set short expiry so credentials don't linger after setup
Track access to confirm the new hire received everything

Other use cases

SecretDrop works for any scenario where you need to share sensitive files with a link and a password.

Explore features View FAQ

Comparison

See the difference

Compare sharing secrets through everyday tools versus a purpose-built encrypted channel.

Without SecretDrop

API keys pasted in Slack channels that persist forever
.env files attached to emails with no access control
Secrets in shared Google Docs visible to anyone with the link
No way to know if credentials were forwarded or downloaded
Manual rotation after every offboarding or contractor change

Recommended

With SecretDrop

Files encrypted in the browser before leaving your device
Password-protected access with configurable expiry
Automatic deletion after TTL or download limit reached
Full access audit log — views, attempts, downloads
One-click revocation when access is no longer needed

Why this matters

Exposed credentials are the leading cause of security breaches. The average cost of a data breach involving stolen credentials is significantly higher than other attack vectors.

Why not just use a password manager's sharing feature?

Password managers are built for credential storage, not file sharing. SecretDrop handles multi-file bundles with configurable policies, automatic expiry, and access analytics — without requiring the recipient to install anything or create an account.

No recipient account required — just a password and a link
Files encrypted client-side, not just in transit
Configurable policies: expiry, download limits, attempt locking
Open security model with documented encryption approach

Trust & Security

Security by design

SecretDrop is built around a documented security model. Here is how your data is protected.

Client-side encryption

Files are encrypted using AES-256-GCM in your browser before upload. The server receives only encrypted blobs — never plaintext.

PBKDF2 key derivation

Encryption keys are derived from your password using PBKDF2 with 600,000 iterations and SHA-256. Verification hashes use a separate derivation path.

Zero-knowledge architecture

The server stores verification hashes, not passwords or encryption keys. It cannot decrypt your files under any circumstances.

Automatic expiry

Bundles are permanently deleted after their TTL expires. A cleanup job runs every 5 minutes to enforce this.

What happens if the server is compromised?

Even with full database access, an attacker cannot decrypt your files. The encryption key is derived from your password client-side and never leaves your browser. Only a verification hash — derived via a separate path — is sent to the server.

Encrypted blobs are useless without the password-derived key

Verification hashes use a separate derivation path from encryption keys

Bundles auto-expire and encrypted data is permanently deleted

Resources

Learn more

Explore articles, guides, and resources to help you get started and succeed.

Security

How client-side encryption protects your shared files

An overview of SecretDrop's encryption model: AES-256-GCM, PBKDF2 key derivation, and the zero-knowledge architecture.

Guide

Sharing .env files securely with your team

Step-by-step guide to creating an encrypted bundle, sharing the link, and managing access policies.

Best Practices

Secret management best practices for developers

Common mistakes when sharing credentials and how to avoid them. Includes recommendations for key rotation and access control.

Comparison

SecretDrop vs. password manager sharing features

How SecretDrop compares to 1Password, Bitwarden, and LastPass for sharing files and credentials with external parties.

Blog

Articles on encryption, secret management, and secure development workflows.

Documentation

Setup guides, API reference, and configuration instructions for SecretDrop.

Start sharing secrets securely. Create an encrypted bundle in under a minute.

Get Started

FAQ

Frequently asked questions

Find answers to the most common questions about SecretDrop.

General

Common questions about SecretDrop.

What is SecretDrop?

SecretDrop is an encrypted file sharing tool for developers. It lets you share .env files, API keys, and configuration files through password-protected, expiring bundles. Files are encrypted in your browser before upload using AES-256-GCM.

Can you read my files?

No. Files are encrypted in your browser before being uploaded. The server only stores encrypted blobs and a password verification hash. The encryption key is derived from your password, which is never sent to or stored on the server.

Do recipients need an account?

No. Recipients only need the bundle link and the password. There is no sign-up, no app to install, and no account required to access shared files.

Security

How SecretDrop protects your data.

What encryption does SecretDrop use?

SecretDrop uses AES-256-GCM for file encryption and PBKDF2 with 600,000 iterations for key derivation. The encryption key and password verification hash use separate derivation paths, so the verification hash cannot be used to decrypt files.

What happens when a bundle expires?

Expired bundles are automatically marked as unavailable and their encrypted files are permanently deleted from storage. A cleanup job runs every 5 minutes to enforce TTL policies.

What if someone guesses the password?

Premium users can enable failed-attempt locking, which permanently locks the bundle after a configurable number of incorrect password attempts. Rate limiting also restricts password verification to 10 attempts per minute.

Pricing

Plans and billing details.

What is included in the free tier?

The free tier includes 1 active bundle, 5 MB per file (10 MB per bundle), and a fixed 7-day expiry. Client-side encryption and password protection are included on all tiers.

What does Premium include?

Premium includes 25 active bundles, 50 MB per file (100 MB per bundle), configurable TTL up to 90 days, custom download limits, failed-attempt locking, and full access analytics. Available at $9/month, $79/year, or $126 lifetime.

Still have questions?

Can't find what you're looking for? We're here to help.

jovanovic@thecodecave.de

We typically respond within 24 hours.

Browse Knowledge Base