Don't Eat The Paste

A bare-bones encrypted (server-blind) "paste bin"

Features

• Pastes are stored on disk, encrypted with AES EAX, with the nonce and tag, but without the key.
• Pastes are assumed to be UTF-8 text and are limited to 512 KB.
• Keys are provided as part of the URL path: https://<site_name>/<paste_id>/<key>
• Raw encrypted pastes may be retrieved by removing the key from the URL.

Non-Features

• Sending you 17 MB of javascript to do code syntax highlighting.

Caveats

Browser history

When creating a paste, you are redirected to the full URL which includes the decryption key. This puts the key in your browser history. This is assumed to be ok as the point of this tiny application is to share text (pastes), not provide a free encrypted storage service.

Proxies

Care should be taken to ensure that any proxy does not log request URIs.

For instance, if using uWSGI, one can set the log-format to the default log-format but with the URI removed, e.g.

log-format = [pid: %(pid)|app: -|req: -/-] %(addr) (%(user)) {%(vars) vars in %(pktsize) bytes} [%(ctime)] %(method) <redacted> => generated %(rsize) bytes in %(msecs) msecs (%(proto) %(status)) %(headers) headers in %(hsize) bytes (%(switches) switches on core %(core))