mkukuljevic/privateburn
1
0
Fork 0
forked from Spearhead/privateburn
Code Pull Requests Activity
privateburn/README.md

2.3 KiB
Raw Blame History

🔥 SecureBurn

A ultra-minimalist, zero-dependency Node.js "PrivateBin" clone. It allows users to share encrypted secrets that self-destruct (burn) immediately after the first access.

🛡️ Security Model: Zero-Knowledge

Encryption: AES-256-GCM encryption happens entirely in the sender's browser.

Privacy: The decryption key is stored in the URL after the # symbol (the fragment identifier).

Blind Storage: Browsers do not send the URL fragment to the server. Therefore, the server only ever sees and stores encrypted binary data. It has no way to read your secrets.

Self-Destruction: The server deletes the encrypted file from the disk the moment it is streamed to a recipient.

🚀 Getting Started

Prerequisites

Node.js (v16.0.0 or higher recommended) No package manager (npm/yarn) is required. For TLS put nginx or haproxy in front.

Installation & Running

Clone or copy the two files (server.js and index.html) into a directory.

Start the server:

node server.js

Access the UI: Open http://localhost:3000 in your browser.

🛠️ Configuration

The application is designed to be plug-and-play. You can modify the constants at the top of server.js:

PORT: The port the server listens on (default: 3000).

DATA_DIR: Where encrypted blobs are stored (default: ./data).

MAX_SIZE_BYTES: Maximum secret size (default: 10MB).

📋 Features

Zero Dependencies: Uses only native Node.js modules (http, fs, crypto, path).

10MB Capacity: Handles large text blocks or small files.

One-Click Copy: Generated links are automatically copied to the clipboard.

Mobile Friendly: Clean, responsive "Chat-style" UI.

Immediate Erasure: Uses fs.unlink to ensure the encrypted file is removed from the filesystem after one read.

⚠️ Important Notes

Persistence: Since it uses the file system, secrets will survive a server restart until they are burned.

HTTPS: To use the Web Crypto API (window.crypto), this app must be served over HTTPS in production (except for localhost).

Todo

  • example of how to use the api, including script to generate the encrypted file
  • add some method to delete secrets that have not been accessed within a certain time frame.
  • add some method to expiry secrets (e.g. when creating, maybe define how long they should be valid for)
  • add progress indicator to UI
  • add rate limited to make abuse harder?