Step-by-Step Guide
Get Started with SecretDrop
Follow this guide to create your first encrypted bundle, share it securely, and manage access from your dashboard. You will be up and running in minutes.
Before You Begin
Make sure you have the following ready before creating your first bundle.
- A modern web browser with Web Crypto API support (Chrome, Firefox, Safari, or Edge)
- An active email address for account verification
- The files you want to share securely
- Approximately 1-2 minutes to create your first encrypted bundle
Setup Steps
Follow these steps to create and share your first encrypted bundle with SecretDrop.
Create Your Account
Sign up for SecretDrop using your email address. The process takes less than a minute and no credit card is required.
- Visit the signup page and enter your email
- Verify your email address via the confirmation link
- Set a strong account password
Tip: Use a work email if you plan to share bundles with your team. This makes it easier to manage your account and billing later.
Create Your First Bundle
Upload one or more files, set a password, and configure expiry and download limits. SecretDrop encrypts everything client-side before upload.
- Click 'New Bundle' from your dashboard
- Drag and drop files or browse to select them
- Set a strong password for the bundle
- Configure expiry date and maximum download count
Share the Link
SecretDrop generates a unique, shareable link for your bundle. Send the link to your recipient through any channel you trust.
- Copy the generated bundle link
- Share the link with your recipient via email, chat, or any secure channel
- Share the password separately for added security
Tip: For maximum security, send the link and the password through different channels. For example, send the link via email and the password via a messaging app.
Manage Your Bundles
Monitor downloads, check analytics, and revoke access from your dashboard. You have full control over every bundle you create.
- View download counts and access logs from the dashboard
- Revoke bundle access at any time before expiry
- Create new bundles or extend expiry on existing ones
- Delete bundles permanently when no longer needed
Tip: Check your dashboard regularly to monitor who has accessed your bundles. If anything looks unexpected, you can revoke access immediately.
E2E Direct Transfer
PremiumSend encrypted files directly to specific recipients without sharing passwords. Files are encrypted with each recipient's public key and can only be decrypted by them.
Send a Direct Transfer
PremiumSelect Direct Transfer mode when creating a bundle. Enter recipient email addresses, and SecretDrop encrypts files with each recipient's public key.
- Click 'New Bundle' from your dashboard
- Switch to the 'Direct Transfer' tab at the top of the form
- Add files and enter recipient email addresses
- SecretDrop looks up each recipient's public key automatically
- Files are encrypted per-recipient using ECIES (Elliptic Curve Integrated Encryption Scheme)
Tip: Recipients must have a SecretDrop account with an active key pair. If a recipient has not set up their keys, you will see a warning.
Receive and Decrypt
Recipients see incoming bundles in their 'Received' page. Decryption happens entirely in the browser using their private key.
- Open the 'Received' page from the sidebar
- Click 'Decrypt' on the bundle you want to open
- Enter your encryption passphrase if prompted
- Files are decrypted in your browser and downloaded automatically
- Sender signature is verified for authenticity
Manage Passphrase and Recovery
Your private keys are protected by a passphrase. If you signed up with email, your account password is used. OAuth users set a separate encryption passphrase.
- Email users: your account password wraps your private keys automatically
- OAuth users (Google): set an encryption passphrase on first use of Direct Transfer
- Recovery codes are shown once during key generation — save them securely
- Use recovery codes to regain access if you forget your passphrase
- Regenerate recovery codes anytime from Settings
Tip: Store recovery codes in a password manager or print them out. If you lose both your passphrase and recovery codes, your encrypted private keys cannot be recovered.
Password Protected vs Direct Transfer
| Password Protected | Direct Transfer | |
|---|---|---|
| Encryption model | AES-256-GCM with password-derived key (PBKDF2) | ECIES with per-recipient ECDH key agreement + AES-256-GCM |
| How recipient accesses | Via shareable link + password | Automatically appears in recipient's Received page |
| Password sharing needed | Yes — link and password sent separately | No — encrypted with recipient's public key |
| Recipient must have account | No — anyone with the link and password can access | Yes — recipient must be a registered SecretDrop user |
| Sender verification | Not available | ECDSA signature verified on decrypt |
| Plan required | Free or Premium | Premium only |
Key Principles
Keep these security principles in mind when sharing files with SecretDrop.
Encrypt by Default
Every file uploaded to SecretDrop is encrypted client-side before it leaves your browser. There is no unencrypted option.
Minimize Exposure
Set the shortest expiry and lowest download limit that meets your needs. The less time a bundle exists, the smaller the attack surface.
Separate Credentials
Share the bundle link and the password through different channels. This way, intercepting one does not compromise the other.
Revoke When Done
Once your recipient has downloaded the files, revoke access or delete the bundle. Do not leave bundles active longer than necessary.
Quick Reference Checklist
A summary of all the steps in one convenient list. Use this as a reference as you work through the setup.
- 1
Create Your Account
Sign up for SecretDrop using your email address. The process takes less than a minute and no credit card is required.
- 2
Create Your First Bundle
Upload one or more files, set a password, and configure expiry and download limits. SecretDrop encrypts everything client-side before upload.
- 3
Share the Link
SecretDrop generates a unique, shareable link for your bundle. Send the link to your recipient through any channel you trust.
- 4
Manage Your Bundles
Monitor downloads, check analytics, and revoke access from your dashboard. You have full control over every bundle you create.
Best Practices
Follow these recommendations to get the most out of SecretDrop.
Do
- Use strong, unique passwords for each bundle
- Set expiry dates as short as practical
- Send the link and password through separate channels
- Revoke or delete bundles after use
- Review download analytics for unexpected access
- Use Direct Transfer for recipients with SecretDrop accounts
- Save recovery codes in a password manager
Avoid
- Reuse the same password across multiple bundles
- Set unlimited expiry on sensitive bundles
- Share the password and link in the same message
- Leave old bundles active indefinitely
- Ignore download notifications from your dashboard
- Discard recovery codes without saving them
- Forget your encryption passphrase without a backup plan
Guide FAQ
Common questions about creating and sharing encrypted bundles.
- How long does it take to create a bundle?
- Under a minute. Upload your files, set a password and expiry, and the encrypted bundle link is generated immediately.
- Can I update files in an existing bundle?
- No. Bundles are immutable once created. To share updated files, create a new bundle and revoke or delete the old one.
- Do I need technical experience to use SecretDrop?
- No. SecretDrop is designed for developers but requires no cryptography knowledge. The encryption happens automatically in your browser.
- What if I forget the bundle password?
- Passwords are never stored on our servers. If you lose the password, the bundle cannot be decrypted. You will need to create a new bundle.
- When should I use Direct Transfer instead of a password-protected bundle?
- Use Direct Transfer when your recipient has a SecretDrop account. It eliminates the need to share a password separately, and files are encrypted with the recipient's public key for stronger end-to-end security.
- What happens to my private keys if I reset my password?
- After a password reset, your private keys will need to be recovered using your recovery codes. You will be prompted to enter a recovery code on your next login to restore access to your encryption keys.
Related Resources
Explore these resources to deepen your knowledge and get the most out of SecretDrop.
REST API Reference
Programmatic access to SecretDrop for creating and managing encrypted bundles from scripts and CI/CD pipelines.
Explore SecuritySecurity Overview
A detailed explanation of SecretDrop's encryption model, key derivation, and zero-knowledge architecture.
Explore SupportFAQ
Answers to common questions about SecretDrop features, billing, and account management.
ExploreReady to get started?
You have everything you need to start sharing files securely with SecretDrop. Create your free account and follow the steps above.