https://github.com/gonfff/safex

Safe secrets exchange
https://github.com/gonfff/safex

opaque secrets-exchange

Last synced: 5 months ago
JSON representation

Safe secrets exchange

• Host: GitHub
• URL: https://github.com/gonfff/safex
• Owner: gonfff
• License: mit
• Created: 2025-11-09T18:37:05.000Z (7 months ago)
• Default Branch: master
• Last Pushed: 2025-12-14T13:30:07.000Z (6 months ago)
• Last Synced: 2025-12-16T19:53:36.981Z (6 months ago)
• Topics: opaque, secrets-exchange
• Language: Go
• Homepage: https://safex.gonfff.com
• Size: 21.9 MB
• Stars: 3
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# Safex



  Safe secret exchange


  

    

  

  

    

  

  

    

  

  

    

  



Safex is a security‑first secret sharing service that keeps sensitive data with zero server trust. It’s run for real on [Koyeb](https://safex.koyeb.app), so you can try it right now. You can also run your own Docker image from [GHCR](https://github.com/gonfff/safex/pkgs/container/safex), or build it yourself because the entire project is open source.

## Core concepts

- Secrets are encrypted and decrypted locally in the browser with WebAssembly (WASM) before they ever touch the server, so backend compromises never expose cleartext data.

- The recipient must prove knowledge of the PIN via the OPAQUE protocol before any download, blocking offline brute-force attacks and network PIN transmission.

- Expiration policies and view limits ensure every shared secret has a defined lifetime and data will be destroyed automatically after reading or expiry.

## How safety is achieved

- Secrets are encrypted and decrypted locally in the browser with WebAssembly (WASM).

- Secrets are stored encrypted on the server, which has no access to plaintext data.

- Safex does not receive PINs at any point, thanks to the OPAQUE protocol.

- No sensitive information is written to any logs.

- Messages are permanently deleted as soon as they are read or expire.

- An attacker needs both the unique link and the PIN to intercept a message.

- The code is open source and can be audited by anyone.

## Documentation

A full walkthrough is available on the [Docs page](https://gonfff.github.io/safex/).

### Warning

Redis and S3 backends not tested yet!!!

## Usage

1. Create a new secret with text or file, set expiration and choose a PIN.

   ![Create](screenshots/create.png)

2. Share the generated link and PIN with the recipient via separate channels.

   ![Share](screenshots/link.png)

3. The recipient opens the link, enters the PIN, and retrieves the secret.

   ![Retrieve](screenshots/retrieve.png)

4. Read/download/copy the secret before it self-destructs.

   ![Success](screenshots/load.png)