Skip to content

Shikhar03Stark/HushKey

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

67 Commits
.github/workflows
.github/workflows
 
 
backend
backend
 
 
frontend/HushKeyWeb
frontend/HushKeyWeb
 
 
infra/k8s
infra/k8s
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

HushKey Web

Backend CI Frontend CI

HushKey is a secure, privacy-first platform for sharing secrets using modern cryptography and a zero-knowledge approach. All encryption and decryption happen in your browser—the server never sees or stores your secret keys.

🚀 Features

  • Zero Knowledge of crypto keys: The server never has access to your secret key. Only encrypted data is stored.
  • Ephemeral Key Encryption: The server generates a temporary encryption key to encrypt your secret, destroys the key in memory after encryption, and only stores the encrypted secret.
  • AES-GCM Encryption: Uses the industry-standard AES-GCM algorithm for strong, authenticated encryption.
  • Fragment-based Key Delivery: The encryption key (keyString) is appended as a fragment in the shareable URL (after #). HTTP clients by design, never send the fragments to the server in any HTTP request.
  • One-Time View: Secrets can be set to self-destruct after being viewed once.
  • Modern Stack:
    • Frontend: React + TypeScript + Vite + TailwindCSS
    • Backend: ASP.NET Core Web API
  • Open Source: GitHub Repo

🛡️ How It Works

  1. Secret Creation

    • Your browser sends the secret securely to the server over HTTPS.
    • The server generates an ephemeral encryption key (using AES-GCM), encrypts your secret, destroys the key in memory, and stores only the encrypted secret.
    • The server returns a reference ID to the encrypted secret, and the keyString appended as a fragment in the shareable URL (e.g.,
      https://hushkey.app/secrets/public/abc123#keyString).

  2. Secret Retrieval

    • When someone opens the link, the browser by design removes the fragment from the HTTP request, which prevents MITM attacks. Server responds with encrypted text based on the secretId.
    • The browser decrypts the secret locally using the keyString present in the fragment part of the url using JS.
    • The server never sees or stores the keyString—privacy is preserved by design.

⚠️ Security Considerations

  • Treat the full URL as sensitive: Anyone with the full URL (including the fragment) can access and decrypt the secret.
  • No server-side revocation: If the URL is leaked, there is no way to revoke access before it hits the TTL (except for one-time view).
  • Client security matters: If the recipient's device is compromised, secrets can be exposed.
  • HTTPS is required: Always use the service over a secure connection.

🤝 Contributing

Contributions, issues, and feature requests are welcome!
Feel free to open an issue or submit a pull request.

📄 License

This project is GNU GPLv3 licensed.

About

Share your secrets 'secretly'

hushkey.devitvish.in/

Topics

security reactjs secret-management aes-gcm asp-net-core hobby zero-knowledge-proof

Resources

Readme

License

GPL-3.0 license
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Packages

 
 
 

Contributors

Languages