Securely share a password or note
Send a secret without trusting any single party — including our server. The message is encrypted in your browser, and the key is split so that no one piece can decrypt anything on its own.
Compose
Share
What the recipient sees
PreviewWhen the recipient opens https://youshallnotpass.io/decrypt/… , they enter the passphrase you sent through other channels and decrypt the secret locally in their browser.
How it works
Passphrase generation. Your browser generates 256 random bits for each passphrase (crypto.getRandomValues) and renders them as 13 hyphen-separated groups of four Crockford base32 characters — 52 characters in all. The passphrase itself is the key material — there's no separate encoded key hiding behind it.
Key derivation. Each passphrase is normalized for typing tolerance (case, separators, underscores, and the Crockford look-alikes I/L/O) and then hashed with SHA-256 into a 32-byte share. Those passphrase shares are XOR-combined with one extra random server share to produce the AES-256-GCM key. Changing any non-cosmetic character yields a completely different key, and decryption fails because the AES-GCM auth tag won't verify.
Encryption. Your browser encrypts the secret with that key using AES-256-GCM, with a random per-message IV and the built-in auth tag for tamper detection. The plaintext and the full key never leave your device.
What the server stores. A single row: the ciphertext, the IV, the server share, how many passphrases the key was split into, the expiration, a max view count, a current view counter, and a creation timestamp. The server has no way to derive the AES key from this — it would need the passphrases too, and those only ever exist on the sender's and the recipient's devices (and your clipboard, briefly).
Channel separation. Send the link through your normal channel (Slack, email) and each passphrase through a different one (Signal, WhatsApp). An attacker would have to compromise every channel at once to read the secret.
Lifecycle. Each record has an expiry and a maximum number of decrypt tries. Every Decrypt click makes a fresh server roundtrip — the recipient's browser never caches the ciphertext, IV, or server share between attempts — and the server atomically increments the counter. When the counter hits the limit (or the record has expired), the row is deleted in that same transaction. No recovery after deletion.