A one-time encrypted zero-knowledge password/secret sharing application focused on simplicity and security. No database or complicated set-up required.

https://flashpaper.io

• PHP 5.4
• Web server
• Linux
• OpenSSL 1.0.1e

Copy contents of this repository to document root of web server

To increase security, disable access logging in your web server's configuration

• Random 32-character password is created
• Submitted text is encrypted with password
• Password is hashed via SHA512
• File created in secrets directory. Name of file is the SHA512 of the random password
• Encrypted version of submitted text is stored inside of created file
• Password is Base64 encoded
• Retrieval URL is created by appending Base64 version of password to end
  • https://flashpaper.io/?k=1a2b3c4d5a6b7c8d9a0b1c2d3a4b5c6d$

• Base64 portion of URL is stripped from URL
• Decode Base64 string to get the decryption password
• Generate SHA512 of the password
• Look for file in secrets that is named the SHA512 that we just generated
• Get text from the file that we found and decrypt it with the password
• Return the decrypted secret text to user
• Delete the file

To suppress the HTML and CSS output so that you just have plain-text results, you'll need to include the 'nostyle' argument in the POST data of each request.

curl -s -X POST -d "nostyle=true&secret=**BASE64 SECRET HERE**" https://flashpaper.io

curl -s -X POST -d "nostyle=true" https://flashpaper.io/?k=1a2b3c4d5a6b7c8d9a0b1c2d3a4b5c6d$

❗ When generating a self-destructing link; the 'secret' variable must be in Base64 encoded format. There are some built-in checks to validate that you haven't forgotten this, but they will not work 100% of the time. If you fail to properly Base64 encode your secret before submission and manage to get a retrieval link returned to you, you WILL get invalid data when that secret is recovered from that link.