Show HN: A simple way to send secrets between teammates (30s.sh)

2 points by dannytatom ↗ HN
hey there.

at every job i’ve had, people paste secrets into Slack and delete them really fast. i wanted a quick, secure way to hand off a credential that wasn’t that, so I built 30s.

it’s a CLI that generates a local keypair and uses envelope encryption so the server never sees plaintext. you send to a recipient’s email, they decrypt locally, and secrets expire automatically (default 30s, maximum 24h).

free to use, 50 secrets/month.

2 comments

[ 4.9 ms ] story [ 29.3 ms ] thread
Source?

I would not trust this as-is. I do not like the `curl | sh` install strategy generally, but especially with something like this it feels sketchy.

> We couldn't read your secrets even if we wanted to.

Yes you can, you got to run a shell script with root privs when the cli was installed. You might only store ciphertext in your DB but skimming the shell script, it's dumping a mystery binary off your digitalocean spaces bucket and giving it all-user execute privs. There is no way to verify that binary isn't skimming my key.