Looking for script to send AES encrypted, self-deleting messages (self-hosted)
Dear all,
I am looking for a self-hosted solution (Open Source) that does exactly the same as services like e.g. https://nachricht.co.
- You write a message
- The message gets encrypted (256 bit AES for example) and stored on the server
- The script generates a link that you can give to someone else
- That link shows the decrypted message and can only be openend once, the message gets deleted afterwards
Does anyone of you have a hint or idea for me where to look for something like this?
A million thanks & hugs in advance!
Amitz
Amitz, a very stable genius (it's true!) and Grand Rectumfier of the official LESLOS® (LES League of Shitposters).
Certified braindead since 1974 and still perfectly happy.
Thanked by (1)Offshore_Solutions
Tagged:
Comments
Amitz .... why so serious ... .where have you been?
All good, just drowning in work and real-life issues...
Amitz, a very stable genius (it's true!) and Grand Rectumfier of the official LESLOS® (LES League of Shitposters).
Certified braindead since 1974 and still perfectly happy.
normal life ... thats good.
how is your ass health?
Ah, let's not start with my health. But nothing is worse than previously, which is probably already a good thing! I hope the best for you and your ass, too!
Amitz, a very stable genius (it's true!) and Grand Rectumfier of the official LESLOS® (LES League of Shitposters).
Certified braindead since 1974 and still perfectly happy.
we are all good. don't forget we love you... visit us from time to time... we also need to part with you
You can check out PrivateBin.
These three are feasible though JavaScript. Browser generates a key via WebCrypto and uploads encrypted message to the server, and then encode the key in the link.
This one cannot be done cryptographically.
The server can delete the ciphertext file after it's been accessed, but there's no way to prove it's been deleted.
Moreover, nothing prevents the viewer from copying the message, or using their camera to take a picture of the screen.
Only because you said million hugs...maybe this will help...
https://github.com/dutchcoders/transfer.sh/
You did mention self hosted in OP, but
This one is a non-self-hosted SAAS :
https://safenote.co/
And
https://bashupload.com/how_to_upload_file_to_server
VPS reviews | | MicroLXC | English is my nth language.
+1 for PrivateBin (Demo).
I like their dark theme, looks much nicer.
Sending love from Spain, my dude
Hope things will get better soon for you
No need to encrypt pics of your Bratwurst, though. We prefer decrypted
Ympker's Shared/Reseller Hosting Comparison Chart, Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Thank you all (including the million hugs) for your suggestions!
I went with PrivateBin. I am aware of the cons and pros of such a solution and the limited added "security". But a good friend of mine loves to send his notes this way and I thought he would better do that on a server that I control and not on a server that some stranger is hosting on the internet.
Again, thanks a lot and stay as beautiful as you are!
Amitz, a very stable genius (it's true!) and Grand Rectumfier of the official LESLOS® (LES League of Shitposters).
Certified braindead since 1974 and still perfectly happy.
Wait, this puts the decryption key into a newly generated url. How do you transmit the url to the person? By email? I guess if someone else intercepts and uses it, at least the intended recipient will get a link that doesn't work, and figure that something is wrong.
This seems fairly easy to implement using redis or simply in the memory of a running server process, so all the data is kept in ram rather than on disk. I'd do a few things slightly differently. But either way, the ram approach helps with secure deletion, but it means rebooting the system would wipe out any stored messages.
You'd ideally want to use a dedicated server with swapping turned off. @Neoon mentioned Ikoula was hosting Raspberry Pi Zeros for 1€ per month. That's the cheapest dedi I've ever heard of and seems just about right for this application. I don't know if they still have that though.
I wrote a script for secure key deletion that might be useful for this, some years back. If you want, I could try to find a copy and send it to you. It is written in Python with some hooks for storing special key in a separate process or device.
Keep in mind that you also want to protect the "metadata": the sizes and timestamps of the messages you are exchanging, and ideally the fact that you are communicating with the other person at all. The latter is quite hard, but I've for a while wanted to handle the sizes and timestamp issue with a simple chat script or maybe an irc client plug-in. Basically you and the other person would each leave the chat program running, and it would send (say) a 50 character packet every 5 seconds 24/7, that would contain either some encrypted text if you had typed something, or an encrypted header saying you hadn't typed anything. So to an outside observer your behaviour would look exactly the same (a packet of ciphertext every 5 seconds) whether you were typing or not.
I never said, Ikoula is selling 1€ Pi Zeros, they sold RPi4 for 2.49€ which was a limited time offer.
Dataideas sold a 1$ Pi Zero but its also gone now.
Free NAT KVM | Free NAT LXC
Oh I got confused about the pi zero. Oh well. If you have a cheap dedi (kimsufi?) that you're using for some other purpose, this would be a good use for it too. Or if you can use client software that makes things easier too.
If you haven't found anything, this repo might help you find a self-host applications https://github.com/awesome-selfhosted/awesome-selfhosted#pastebins
Freelance Web Developer & Web Designer - Available for hire!
https://privatebin.info/
https://clients.mrvm.net
Privatebin looks cool but doesn't appear to do what was requested, namely delete the message after one viewing. I may try to code something like what I described above (permanently connected clients sending null messages every few seconds) but whenever I think about it, I get stopped by realizing that most users now are connecting with mobile phones rather than plugged-in computers, so they will be offline a lot of the time, and their connectivity patterns will leak the info that was supposed to be protected.
there is the checkbox "burn after reading" that you can set when creating the note.
I have a live site that you can test out. https://paste.mrvm.net/
https://clients.mrvm.net
Sounds it is about "Perfect Forward Secrecy".
Privatebin is not many opportunities to use, but it does not take many resources anyway.
Action and Reaction in history
Thanks to everyone who replied after my last post!
As said, privatebin does the trick for me and is exactly what I was looking for. My friend is happy and now sending his "secret" messages through my server already. Again, thank you all and have a great rest of the week!
Amitz, a very stable genius (it's true!) and Grand Rectumfier of the official LESLOS® (LES League of Shitposters).
Certified braindead since 1974 and still perfectly happy.
Hey Amitz, I really think you should check out privatebin... jk
Glad you found your solution and you and your secret lover had a happy ending
Humble janitor of LES
Proud papa of YABS
I use pigeons.
Just sayin'...
BikeGremlin I/O
Mostly WordPress ™
We were not talking about food
https://clients.mrvm.net
Pigeons are dual-use.
Amitz, a very stable genius (it's true!) and Grand Rectumfier of the official LESLOS® (LES League of Shitposters).
Certified braindead since 1974 and still perfectly happy.