Copying server data from the command-line, safely

Tuesday, Feb 12 2013 posted by delano

All of times I've found myself in a situation where I need to get a little bit of data on to or off of a server somewhere. Copy & paste works in some cases but not always. Another option is a service like Pastebin but it's not cool for sensitive info like config files because even though you can easily forget to delete them when you're done.

That's where a one-time secret comes in: a long, unique URI that only works once.


Our "official" tool is written in Ruby and available via

$ sudo gem install onetime

You can also get it directly from the github repo.

Storing a message

You can create a secret by piping data from another command:

$ history | onetime

Directly from a file:

$ </etc/nginx/nginx.conf onetime

Or by pasting or typing the content in at the prompt:

$ onetime
Paste message here (hit control-D to continue):
Your password is: Two-spots-higher-622

Retrieving a message

$ onetime get rvbkyzn6nylcjcaimot23oehja7zwuv
Your password is: Two-spots-higher-622

Or simply go to the URI and copy the message from there.

Advanced options

Beyond the basic usage, there are some other features that might interest you as well.

Include a passphrase

For very sensitive data you will want to include a passphrase so that even if someone finds the secret link while it's still available, the won't be able to see the message unless they know the passphrase. We include the passphrase in the encryption key which guarantees that only you or the recipient can view the content.

$ onetime generate -p 1234567890

When the secret is retrieved, the passphrase must be identical.

$ onetime get -p bogus 2x7z9i5p4cg9mig890b7esqmv31d7hd
Unknown secret
$ onetime get -p 1234567890 2x7z9i5p4cg9mig890b7esqmv31d7hd

Send the link via email

If you sign up for an account, you can also email the secret link directly to the recipient. You need to set two environment variables to tell onetime what account to use.

$ export ONETIME_CUSTID=example@onetimesecret
$ onetime status
# Host:
# Account:
Service Status: nominal

Then you can send emails directly from the command-line:

$ who | onetime -r
# Secret link sent to: d******

If you want to use this feature regularly, you'll want to set the ONETIME_CUSTID and ONETIME_APIKEY environment variables in your ~/.bashrc file.

Output to json or yaml

You can specify a format using the -f option, like so:

$ last | onetime -f yaml
custid: anon
metadata_key: g4blscedwb8hyxklzvb3q0m3jbbzhir
secret_key: hgar2i4s90kuflwfwr8nep7obng7t3
ttl: 604800
metadata_ttl: 604800
secret_ttl: 604800
state: new
updated: 1360704091
created: 1360704091
recipient: []
passphrase_required: false

Use One-time Secret in your projects

If you want to use one-time secrets in your app or implement a tool in another language, check out the API.

If you have any questions or feature requests, let me know.

Major UI update (with mobile support)

Monday, Feb 04 2013 posted by delano

I worked on a new UI over the weekend and pushed it live today. Thanks to Twitter's Bootstrap framework it's cleaner, easier to use, and works great on small (mobile) screens too. Here are a couple comparisons (old vs new):


Homepage v2 Homepage v3

Created secret

Created secret v2 Created secret v3

Shared secret

Shared secret v2 Shared secret v3

As always, let me know have any issues or suggestions.

One-Time Secret is Now Opensource

Wednesday, Jan 30 2013 posted by delano

Keep sensitive info out of your email & chat logs.

We launched One-Time Secret on November 8th, 2011. Today we're happy to announce the first opensource release of the One-Time Secret codebase under the MIT License. This is something we wanted to do from the very beginning but life and other work got in the way. It's important that we do everything we can to earn and maintain your trust and this is a crucial step in that direction. Also, it's just the right thing to do.

Photo by See-ming Lee

So as of today from the 0.8.1 release, all updates to will be pulled via the upstream public repo.

Bring on the bugs!

We're expecting (and hoping) this will help us discover (and resolve) more bugs. If you find a bug, open a issue. If you have a feature request, you can open an issue for that too.

If you find a security related bug, let us know as soon as you can. We will disclose all serious issues here on this blog.

Business subscription plans are deprecated

We're also announcing the deprecation of our Basic, Professional, and Agency subscription plans. Customers using these plans will be able to continue to use them. (Note: we are still available for custom installs).

What's next

We have a bunch of new stuff planned for this year including some oft-requested new features and a mobile app. Drop me a line if you're interested to help and want to know more.

- Delano


What is a One-Time Secret?

A one-time secret is a link that can be viewed only one time. A single-use URL.

Why would I want to use it?

When you send people sensitive info like passwords and private links via email or chat, there are copies of that information stored in many places. If you use a one-time link instead, the information persists for a single viewing which means it can't be read by someone else later. This allows you to send sensitive information in a safe way knowing it's seen by one person only. Think of it like a self-destructing message.

Share a secret!

Discuss on Hacker News

See the archive for more