Skip to content

Frojd/onetimesecret

 
 

Repository files navigation

ONE-TIME SECRET - v0.11-RC1 (2021-03-26)

Keep sensitive info out of your email & chat logs.

What is a One-Time Secret?

A one-time secret is a link that can be viewed only once. A single-use URL.

Give it a try!

Why would I want to use it?

When you send people sensitive info like passwords and private links via email or chat, there are copies of that information stored in many places. If you use a one-time link instead, the information persists for a single viewing which means it can't be read by someone else later. This allows you to send sensitive information in a safe way knowing it's seen by one person only. Think of it like a self-destructing message.

Dependencies

  • Any recent Linux (we use Debian, Ubuntu, and CentOS)
  • Ruby 2.2+, 1.9.1+
  • Redis 2.6+

Install Dependencies

Debian

  sudo apt-get update
  sudo apt-get install build-essential
  sudo apt-get install ntp libyaml-dev libevent-dev zlib1g zlib1g-dev openssl libssl-dev libxml2 libreadline-gplv2-dev
  sudo apt-get install ruby redis
  mkdir ~/sources

CENTOS

  sudo yum install gcc gcc-c++ make libtool git ntp
  sudo yum install openssl-devel readline-devel libevent-devel libyaml-devel zlib-devel
  mkdir ~/sources

Install One-Time Secret

  sudo adduser ots
  sudo mkdir /etc/onetime
  sudo chown ots /etc/onetime

  sudo su - ots
  git clone https://github.com/onetimesecret/onetimesecret.git
  cd onetimesecret
  bundle install --frozen
  bin/ots init
  sudo mkdir /var/log/onetime /var/run/onetime /var/lib/onetime
  sudo chown ots /var/log/onetime /var/run/onetime /var/lib/onetime
  mkdir /etc/onetime
  cp -rp etc/* /etc/onetime/
  chown -R ots /etc/onetime /var/lib/onetime
  chmod -R o-rwx /etc/onetime /var/lib/onetime

About git cloning

The instructions above suggest cloning via the https URI. You can also clone using the SSH URI if you have a github account (which is generally more convenient, but specific to github).

With a github account

  ssh -T [email protected]
  Hi delano! You've successfully authenticated, but GitHub does not provide shell access.

Without a github account

  ssh -T [email protected]
  Warning: Permanently added the RSA host key for IP address '0.0.0.0/0' to the list of known hosts.
  [email protected]: Permission denied (publickey).

NOTE: you can also use the etc directory from here instead of copying it to the system. Just be sure to secure the permissions on it

  chown -R ots ./etc
  chmod -R o-rwx ./etc

Update the configuration

  1. /etc/onetime/config
  • Update your secret key
    • Store it in your password manager because it's included in the secret encryption
  • Add or remove locales
  • Update the SMTP or SendGrid credentials
  • Update the from address
    • it's used for all sent emails
  • Update the the limits at the bottom of the file
  1. /etc/onetime/redis.conf
  • The host, port, and password need to match
  1. /etc/onetime/locale/*
  • Optionally you can customize the text used throughout the site and emails
  • You can also edit the :broadcast string to display a brief message at the top of every page

Running

There are many way to run the webapp, just like any Rack-based app. The default web server we use is thin.

To run locally:

  bundle exec thin -e dev -R config.ru -p 7143 start

To run on a server:

  bundle exec thin -d -S /var/run/thin/thin.sock -l /var/log/thin/thin.log -P /var/run/thin/thin.pid -e prod -s 2 restart

Generating a global secret

We include a global secret in the encryption key so it needs to be long and secure. One approach for generating a secret:

  dd if=/dev/urandom bs=20 count=1 | openssl sha256

About

Keep sensitive info out of your email & chat logs.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Ruby 38.3%
  • Mustache 27.8%
  • CSS 14.4%
  • JavaScript 12.2%
  • HTML 4.7%
  • PHP 1.6%
  • Other 1.0%