How It Works

Zero-knowledge.
Burn after reading.

CYPH3RDROP uses end-to-end encryption so that even we cannot read your secrets. Here is exactly How It Works, step by step.

Encryption Flow

Your BrowserAES-256-GCMServerzero knowledgeRecipientbrowser#key fragment — never sent to serverserver never sees plaintext or decryption key

The Process

01

You paste your secret

Your password, API key, or sensitive text goes into the form. It never leaves your browser in plain text.

02

Your browser encrypts it

A unique 256-bit AES-GCM key is generated in your browser. Your secret is encrypted before it is sent anywhere. The key stays with you.

03

We store only ciphertext

The encrypted blob is sent to our server and stored in a database. Without the key, it is meaningless — even to us.

04

You get a one-time link

The link contains the secret ID and your encryption key in the URL fragment. The fragment is never sent to the server.

05

The recipient opens it once

Their browser fetches the encrypted blob and decrypts it locally using the key from the URL. The secret is shown on screen.

06

The secret is permanently destroyed

The moment the link is opened, the encrypted blob is deleted from our database. The link stops working immediately. Gone forever.

Technical note

CYPH3RDROP uses the Web Crypto API built into every modern browser. Encryption runs entirely on your device — no third-party libraries involved. The algorithm is AES-256-GCM with a randomly generated 96-bit IV per secret. Keys are 256 bits, generated fresh for every secret, and never transmitted to the server.

Common Questions

Can CYPH3RDROP read my secret?

No. Your secret is encrypted in your browser before it reaches our servers. We only ever store ciphertext. The decryption key lives in the URL fragment, which is never transmitted to us.

What happens if the link is never opened?

Secrets automatically expire after 7 days and are permanently deleted from our database, whether or not they were ever viewed.

What if someone intercepts the link?

That is why you should share the link through a trusted channel. CYPH3RDROP protects against email threads, Slack logs, and server breaches — but if someone intercepts the link itself, they can open it. Share carefully.

Is AES-256-GCM actually secure?

Yes. AES-256-GCM is used by governments and financial institutions worldwide. It is the gold standard for symmetric encryption. With a randomly generated 256-bit key, a brute-force attack is computationally infeasible.

Do I need an account?

No. CYPH3RDROP requires no sign-up, no email address, and stores no personal information about you. Create a secret and share it — that is all.

Ready to send your first secret?

Create a secret link →