End-to-End Crypto: Secrets

Long-lived data isn’t the only thing that benefits from end-to-end encryption. Sometimes simple, short strings need the same level of protection. This is exactly the case with secrets. The idea is that you encrypt a piece of data on one computer, and it stays securely protected until it’s needed on another. The popular service “One Time Secret” was intermittently offline without notice, so what are the alternatives that you can rely on?

We’ll dig into more details on the topic of secrets below, but if you need a key management solution as part of your application, be sure to read our key management guide.


When dealing with secrets, the “point A” is the creator of an account. The “point B” is another entity that needs to use the secret – this could be a coworker with a shared login or a sever with specific access to a protected resource. These secrets should still be encrypted at rest so any unauthorized parties who gain access cannot use them. Accessing and decrypting this data should be easy for authorized parties.

Let’s review some options for both peer-to-peer secret sharing and secure ways to share secrets with development environments.

Tozny secret sharingTozny’s Secret Sharing

If you’re looking for an alternative to One Time Secret, we’ve just released our one time secret sharing application based on TozStore! The app encrypts a secret in your browser, gives you a link to share it (with an optional password), and decrypts it in the browser of whoever you send the link to. You can also set the number of allowed reads before the secret is deleted.

Check out the details here.

Password Managers

Two of the flagship personal secrets managers on the market today are LastPass and 1Password. Both applications operate under a similar principal: all of your site and application specific passwords are stored encrypted by a single, master password. This is a huge win for consumer grade security, as users won’t have to remember different password for the 90 different accounts they use.

It’s also a win in an enterprise environment; both applications present simple models for sharing passwords between individuals and environments. You store a secret in the system, then provide access to that secret to the rest of your team. No one holds on to the plain text; they all get an encrypted copy of the secret. You also have the ability to audit secrets at any time.

Neither LastPass or 1Password have access to your secrets at any time. Software encrypts everything on the client side, using credentials under your control. At the very worst, the vendors can leak encrypted copies of your data

One-Time Secret – (Update: Down for the count?)

Looking for an alternative to the free One-Time Secret application now that the service has been intermittently offline with no explanation? Most solutions are for enterprise or programmers, not simple web apps. One-Time Secret is open source, so you can easily host it on your own infrastructure, and the code is still available, but it hasn’t been updated in over a year.

Whereas LastPass and 1Password allow for the long-term sharing and coordination of secrets, One-Time Secret allowed for the limited (one-time) sharing of any text data. If you need to send a single credential, securely, from point A to B you could do so using One-Time Secret. The hosted server didn’t store any data permanently. The data also automatically deleted itself once it’s been accessed. You could also proactively encrypt the data with an independent passphrase.


Not every secret you use is a password; some secrets are privileged credentials for programmatic resource access. These secrets might be the API keys for access hosting resources (AWS) or billing services (Stripe). Accidentally leaking these secrets can have hugely detrimental effects on your business.

Unfortunately, password managers are meant to share secrets between individuals. You can’t use a traditional password manager to share secrets between computers or handle secrets used in code.

Luckily, tools like GitCrypt enable transparent encryption and decryption of secrets in a source repository. GitCrypt is a developer tool that will filter files that contain secrets, automatically encrypting the data before writing it to the repository. Assuming proper permissions, GitCrypt automatically decrypts data as needed.  GitCrypt is also open source and available for free.

Amazon KMS

Amazon Key Management Service (KMS) is one of the amazing tools in Amazon’s hosted cloud. You can use KMS to encrypt arbitrary data (a secret or otherwise) with a key hosted on Amazon’s servers. You can later use the same key (again, through Amazon) to decrypt that data when its needed. It’s a good SaaS-based key management solution.

Access to keys is controlled using Amazon’s own Identity and Access Management (IAM) service, giving you reliable control over who has permission to do what with the protected data. Amazon tracks the use of your keys, creating a solid audit trail for data access and secret management.


As useful as Amazon’s KMS utility can be, it’s still a developer utility. This means it’s a solid base for other applications, but not very useful in isolation for managing secrets. Instead, tools like Credstash allow for more user-friendly access to low-level utilities like KMS.

Credstash is a command-line tool that allows for the creation of secure secrets, encrypted with KMS-hosted keys, stored in the cloud. Credstash makes it easy for a development team to securely share passwords with one another or with a server environment. The tool encrypts all data before it’s stored and only decrypts it when needed.

Is it enough?

The principle behind end-to-end encryption is straight-forward: data is stored (or sent) encrypted and can only ever be decrypted when it’s reached its destination. Messages and emails are only decrypted when received. Files are only decrypted when accessed by an authorized party. Passwords are only decrypted when they need to be use to authenticate.

All of the utilities detailed above help ensure data stays safe and secure at all times. Together these pieces add up to a solid approach to protecting your data, even if no one utility is the best solo solution.

Build Your Own?

Tozny’s software development kits help you to build your own end-to-end encrypted applications for secret sharing, private chat, or whatever you can imagine. Check out TozStore and get started with development today.

Series Navigation<< End-to-End Crypto ToolsEnd-to-End Crypto: Secure Email >>