__ _  _ ___    ____ __ __  __ ___    ___ ___  __ ___  ___ ____
 /  \ \( )  _)  (_  _)  )  \/  )  _)  / __)  _)/ _)  ,)(  _)_  _)
( () )  ( ) _)    )(  )( )    ( ) _)  \__ \) _) (_ )  \ ) _) )(
 \__/_)\_)___)   (__)(__)_/\/\_)___)  (___/___)\__)_)\_)___)(__)
                                                      THE BLOG 

All of times I've found myself in a situation where I need to get a little bit of data on to or off of a server somewhere. Copy & paste works in some cases but not always. Another option is a service like Pastebin but it's not cool for sensitive info like config files because even though you can easily forget to delete them when you're done.

That's where a one-time secret comes in: a long, unique URI that only works once.

Installation

Our "official" tool is written in Ruby and available via Rubygems.org:

$ sudo gem install onetime

You can also get it directly from the github repo.

Storing a message

You can create a secret by piping data from another command:

$ history | onetime
https://onetimesecret.com/secret/c5lzg25xeze2ff2sotcf5dbi50k7go9

Directly from a file:

$ </etc/nginx/nginx.conf onetime
https://onetimesecret.com/secret/2r13wmv03abrc2etmeaf4xzjr9xbu3f

Or by pasting or typing the content in at the prompt:

$ onetime
Paste message here (hit control-D to continue):
Your password is: Two-spots-higher-622
^D
https://onetimesecret.com/secret/rvbkyzn6nylcjcaimot23oehja7zwuv

Retrieving a message

$ onetime get rvbkyzn6nylcjcaimot23oehja7zwuv
Your password is: Two-spots-higher-622

Or simply go to the onetimesecret.com URI and copy the message from there.

Advanced options

Beyond the basic usage, there are some other features that might interest you as well.

Include a passphrase

For very sensitive data you will want to include a passphrase so that even if someone finds the secret link while it's still available, the won't be able to see the message unless they know the passphrase. We include the passphrase in the encryption key which guarantees that only you or the recipient can view the content.

$ onetime generate -p 1234567890
https://onetimesecret.com/secret/2x7z9i5p4cg9mig890b7esqmv31d7hd

When the secret is retrieved, the passphrase must be identical.

$ onetime get -p bogus 2x7z9i5p4cg9mig890b7esqmv31d7hd
Unknown secret
$ onetime get -p 1234567890 2x7z9i5p4cg9mig890b7esqmv31d7hd
RmUFWEzqVryR

Send the link via email

If you sign up for an account, you can also email the secret link directly to the recipient. You need to set two environment variables to tell onetime what account to use.

$ export ONETIME_CUSTID=example@onetimesecret
$ export ONETIME_APIKEY=YOURSECRETKEY
$ onetime status
# Host: https://onetimesecret.com/api
# Account: example@onetimesecret.com
Service Status: nominal

Then you can send emails directly from the command-line:

$ who | onetime -r delano@onetimesecret.com
# Secret link sent to: d******@onetimesecret.com

If you want to use this feature regularly, you'll want to set the ONETIME_CUSTID and ONETIME_APIKEY environment variables in your ~/.bashrc file.

Output to json or yaml

You can specify a format using the -f option, like so:

$ last | onetime -f yaml
---
custid: anon
metadata_key: g4blscedwb8hyxklzvb3q0m3jbbzhir
secret_key: hgar2i4s90kuflwfwr8nep7obng7t3
ttl: 604800
metadata_ttl: 604800
secret_ttl: 604800
state: new
updated: 1360704091
created: 1360704091
recipient: []
passphrase_required: false

Use One-time Secret in your projects

If you want to use one-time secrets in your app or implement a tool in another language, check out the API.

If you have any questions or feature requests, let me know.

I worked on a new UI over the weekend and pushed it live today. Thanks to Twitter's Bootstrap framework it's cleaner, easier to use, and works great on small (mobile) screens too. Here are a couple comparisons (old vs new):

Homepage

Created secret

Shared secret

As always, let me know have any issues or suggestions.

Keep sensitive info out of your email & chat logs.

We launched One-Time Secret on November 8th, 2011. Today we're happy to announce the first opensource release of the One-Time Secret codebase under the MIT License. This is something we wanted to do from the very beginning but life and other work got in the way. It's important that we do everything we can to earn and maintain your trust and this is a crucial step in that direction. Also, it's just the right thing to do.

Photo by See-ming Lee

So as of today from the 0.8.1 release, all updates to onetimesecret.com will be pulled via the upstream public repo.

• Code
• Issues
• Wiki (work in progress)
• License

Bring on the bugs!

We're expecting (and hoping) this will help us discover (and resolve) more bugs. If you find a bug, open a issue. If you have a feature request, you can open an issue for that too.

If you find a security related bug, let us know as soon as you can. We will disclose all serious issues here on this blog.

Business subscription plans are deprecated

We're also announcing the deprecation of our Basic, Professional, and Agency subscription plans. Customers using these plans will be able to continue to use them. (Note: we are still available for custom installs).

What's next

We have a bunch of new stuff planned for this year including some oft-requested new features and a mobile app. Drop me a line if you're interested to help and want to know more.

- Delano

--

What is a One-Time Secret?

A one-time secret is a link that can be viewed only one time. A single-use URL.

Why would I want to use it?

When you send people sensitive info like passwords and private links via email or chat, there are copies of that information stored in many places. If you use a one-time link instead, the information persists for a single viewing which means it can't be read by someone else later. This allows you to send sensitive information in a safe way knowing it's seen by one person only. Think of it like a self-destructing message.

Share a secret!

Discuss on Hacker News