This is a simple utility for trading secrets over public channels.
Rather than create a new secret in 1Password that is visible to a bunch of people on the team and will live there forever, this is useful for passing one-off secrets that can be instantly forgotten. The server remembers nothing from one request to the next. There are no cookies (aside from what a load balancer or gateway app like Teleport might add).
The process has three steps:
How does it work?
The server uses Elliptic Curve Diffie-Hellman Key Exchange to allow the Requester and the Responder to agree individually on an encryption key for the symmetrical AES256 encryption. Each party creates a secret key and a public key. If you have one secret key, and the other public key, you can generate a shared key. But no one that is not in possession of either secret key can know what that shared key is, even if they have both public keys.
How secure is it?
The steps all use NIST best-practice encryption tools. The server doesn't remember any information from one request to the next, so it can't be hacked. However, the process does involve sharing the secret key twice (once when the server tells you what it is, and again when you tell the server). So it's only as secure as the transmission line. Hopefully, this server is secured via HTTPS with proper certificates. It can also be downloaded and run locally. Because it is stateless, the Requester and the Responder don't need to have access to the same server.
In fact, the server itself works as a command-line tool, and that's really the best way of using it. This web server is only provided as a convenience for sharing secrets with people for whom the console is awkward.
This form will make a request for secret information. You will get two request documents: a private one and a public one. You will need to keep the private one safe and secret, but the public one can be posted into Slack or any other public channel.
This for is for responding to a request for secret information. You'll need to paste in the request as well as the secret. You'll get back a response with your secret encrypted, and the information the requester needs to know to decrypt it (but that no one else will be able to use).
Once you get a response, you can paste the private request you saved and the response document you received, and it will be decoded to the secret information.
Keep it secret! Keep it safe!
Save this private request document somewhere. You will need it to decode the response. But keep it a secret, because anyone who sees this can also decode the response.
This is the public request. The person who will respond with the secret information will need this, but there is nothing in it that can be used to decrypt the response.
This can be posted in Slack or sent in an email.
This is the response with the encrypted secret. It also has a public key. Not to worry, though: this key cannot be used alone to decrypt the secret. The requester will also need their private request key for that.
Keep it secret! Keep it safe!
This is the secret information that you requested. Make sure to do something responsible with it.