Skip to content

scosman/secret_share

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

58 Commits
.github/workflows
.github/workflows
 
 
cmd/secret_share
cmd/secret_share
 
 
core
core
 
 
tui
tui
 
 
.gitignore
.gitignore
 
 
LICENSE.txt
LICENSE.txt
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
install.sh
install.sh
 
 

Repository files navigation

SecretShare logo

Secure One Time Secret Sharing CLI

How it WorksOverview: Security and UseInstallTechnical DetailsUsabilityDemo

Quick Start: Install and Run

curl -fsSL https://raw.githubusercontent.com/scosman/secret_share/main/install.sh | sh
secret_share

Windows Users: run this in Windows Subsystem for Linux (WSL), not PowerShell.

Or check out all install options.

How it works

The whole process takes about 15 seconds:

  1. The receiver runs secret_share, it generates a one-time public key, they send the key to the sender
  2. The sender runs secret_share, pastes in the public key from the receiver, type/paste a secret, it generates an encrypted response they send back
  3. The receiver pastes in the encrypted response and sees the secret
asdf

Overview

It's Easy

  1. Run the app, send one message, paste the response, done.
  2. Send the messages using any chat app: you don't need to trust the communication channel since it never sees the private key.
  3. No complicated security questions, just smart defaults
  4. Cross platform: available for Mac, Windows and Linux

It's Secure

  1. Private key never leaves the senders device
  2. Private key is never written to a file or shown on screen, it is only kept in memory
  3. New random keys for every session
  4. No servers, no one to trust
  5. Uses standard, strong, boring encryption: RSA-OAEP and AES-GCM
  6. Uses golang's standard crypto package (audited)
  7. No dependencies except for offical Google go packages (sys & term)
  8. Open source: build yourself or use public builds with checksums
  9. Tiny: read all the crypto code in about 1 minute or the whole app in about 5 minutes

Install

Automatic Installer

You can install SecretShare with a single command:

curl -fsSL https://raw.githubusercontent.com/scosman/secret_share/main/install.sh | sh

Important: Windows users should run this in Windows Subsystem for Linux (WSL), not PowerShell.

Obviously feel free to download and read the installer script before running! It's downloading the latest offical release from Github.

Install from Source

Run the following to install secret_share from source. You'll need to have golang installed.

go install github.com/scosman/secret_share/cmd/secret_share@latest

Build Integrity

Builds are created on public Github Actions. The build logs include checksums you can validate.

Technical Details

SecretShare is a golang command-line tool. They encryption flow works as follows:

  1. The receiver generates a one-time RSA key pair
  2. The receiver shares only the public key with the sender
  3. The sender uses the public key to encrypt a randomly generated AES key
  4. The sender uses the AES key to encrypt the actual secret with AES-GCM
  5. The sender shares the encrypted data with the receiver
  6. The receiver uses their private key to decrypt the AES key, then decrypts the secret
  7. The app ends, removing the keys from memory

The private key never leaves the receiver's machine and is never exposed to the communication channel.

Using hybrid RSA+AES encryption allows us to share secrets of any length. RSA alone can only encrypt short payloads.

Security note: secret_send does nothing to verify the identity of the person you're sharing with. That is similar to tools which use secret links, but not as robust as something like PGP or Keybase. The tradeoff is ease of setup and complexity.

Being an interactive CLI and not having arguments is an intentional security+usability choice. Other tools like age allow you to generate private key files, but also make it the user's responsibility to securely manage those keys (keeping track of them, deleting them, time-based expiration, etc). SecretSend keeps it simple: no one ever sees the private key, it's never written to disk, and it's cleared from memory as soon as the app ends. This makes it great for one-time secret sharing between people. If you want long-term secret management with long lived keys, check out age.

Usability

  • User friendly TUI: clear questions, instructions, and errors
  • Clipboard support: it automatically copies the keys/encrypted-secret to clipboard at the appropriate time
  • Flexible parsing: don't sweat it if you paste a few extra characters
  • No args: interactive terminal UI walks you through steps, no need to memorize args, no multi-step processes
  • No options/settings: just secure defaults
  • User isn't responsible for security: we don't show them the private key, there's no key files to delete, we don't ask them to choose key-length or algorithms.

Demo GIF

screen cast

License

This project is licensed under the MIT License - see the LICENSE.txt file for details.

About

Secure One Time Secret Sharing CLI

Topics

aes password-manager secret-management secrets rsa api-key

Resources

Readme

License

MIT license
Activity

Stars

18 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 9

v0.6.0 Release Latest
Aug 21, 2025
+ 8 releases

Packages

No packages published

Languages