alt/repo
alternative-repository
alt-burner AES-GCM / one-shot vault
ALT

ALT Burner

Compose a one-time encrypted message. The key stays in the URL fragment.

Encrypts locally in your browser (AES-GCM). The server only stores an opaque encrypted blob, and the decryption key never leaves the URL fragment.

Unopened messages are deleted after this time.

The ALT Burner is a focused secure text sharing utility designed to transmit sensitive data with a one-time reveal link. Whether you need to share passwords securely with a colleague or pass along an API key, this tool creates a secret that deletes itself after it is opened.

By splitting the ciphertext and the decryption key, it guarantees zero-knowledge encryption. Even if the backend server is compromised, your data remains mathematically unreadable.

The Math & Cryptography

The system utilizes the industry-standard Advanced Encryption Standard (AES-256) paired with a Hybrid Architecture to create the ultimate burn after reading link:

  • A 256-bit cryptographically secure pseudorandom key is generated locally using native window.crypto.
  • The payload is encrypted via AES-GCM locally within your browser.
  • The unreadable ciphertext is sent to the backend vault, which returns a unique Vault ID.
  • The Vault ID and the Decryption Key are appended to the URL fragment. Browsers strip the URL fragment before HTTP requests, so the server never sees the key.

Frequently Asked Questions

Are these true self-destructing messages?
Yes. The backend secure vault deletes the encrypted ciphertext the moment it is requested. It can only be extracted once. If unread, it automatically purges at the end of its lifespan.
Can my internet provider or server admin see the secret?
No. Because the encryption happens in your browser before transmission, the server only receives an encrypted blob. Without the decryption key, the blob is useless.
What happens if the server restarts before my link is opened?
The server stores only encrypted ciphertext until the link is opened or expires. The decryption key stays in the URL fragment and is not sent to the server, so the stored vault entry cannot be read without the link key.