Yopass lets you share secrets, passwords, and files securely with end-to-end encryption. Secrets are encrypted in the browser using OpenPGP before being sent to the server — the decryption key never leaves your machine. Each secret gets a one-time URL that expires automatically.
No accounts, no tracking, no plaintext storage. Stop sharing secrets in Slack, email, and ticket systems.
Try the demo | It's recommended to self-host Yopass for sensitive use.
- End-to-end encryption using OpenPGP
- One-time secret viewing
- No accounts or user management
- Configurable expiration (hours, days, or weeks)
- Optional custom password protection
- File upload with streaming encryption
- Multi-language support
- OpenID Connect (OIDC) authentication with email domain restrictions
- Theming and branding (custom themes, logo, app name)
- Compliance audit logging (SOC 2, ISO 27001, GDPR)
- Read receipts — know when a secret was opened
- Webhooks for secret lifecycle events (created, viewed, expired)
See the docs for detailed guides on configuration, theming, OIDC authentication, audit logging, and more.
The quickest way to get Yopass running with TLS and automatic certificate renewal via Let's Encrypt.
- Point your domain to the host where you want to run Yopass
- Edit
deploy/with-nginx-proxy-and-letsencrypt/docker-compose.ymland replace the placeholder values forVIRTUAL_HOST,LETSENCRYPT_HOST, andLETSENCRYPT_EMAIL - Start the containers:
docker-compose up -dYopass will be available at the domain you configured.
Already have a reverse proxy handling TLS? Use the simpler setup:
cd deploy/docker-compose/insecure
docker-compose up -dThen point your reverse proxy to 127.0.0.1:80.
With TLS encryption:
docker run --name memcached_yopass -d memcached
docker run -p 443:1337 -v /local/certs/:/certs \
--link memcached_yopass:memcached -d jhaals/yopass --memcached=memcached:11211 --tls-key=/certs/tls.key --tls-cert=/certs/tls.crtYopass will be available on port 443 on all host interfaces. To restrict to localhost, use -p 127.0.0.1:443:1337.
Without TLS (requires a reverse proxy for transport encryption):
docker run --name memcached_yopass -d memcached
docker run -p 127.0.0.1:80:1337 --link memcached_yopass:memcached -d jhaals/yopass --memcached=memcached:11211Then point your TLS-terminating reverse proxy to 127.0.0.1:80.
kubectl apply -f deploy/yopass-k8.yaml
kubectl port-forward service/yopass 1337:1337This is a minimal setup to get started. Configure TLS before using in production.
Yopass uses Memcached (default) or Redis as its storage backend. All flags can also be set via environment variable (uppercase, dashes → underscores).
# Memcached (default)
yopass-server --memcached localhost:11211
# Redis
yopass-server --database redis --redis redis://localhost:6379/0For the full flag reference see yopass.se/docs/server-options. Topic-specific guides:
| Guide | Description |
|---|---|
| TLS / HTTPS | Built-in TLS, Nginx, Caddy, Traefik, Let's Encrypt |
| File Storage | Disk and S3/MinIO backends, size limits |
| Read-Only Mode | Split-instance deployments |
| OpenID Connect | OIDC authentication (license required) |
| Theming & Branding | Custom themes, logo, app name (license required) |
| Metrics | Prometheus, alerting rules, Grafana |
| Audit Logging | NDJSON compliance logging (license required) |
| Read Receipts | Know when a secret was opened (license required) |
| Webhooks | Signed lifecycle event notifications (license required) |
Yopass supports multiple languages via react-i18next. See the current translations. Contributions for new languages are welcome — see this example PR.
Yopass was first released in 2014 and has been maintained with the help of many contributors. It is used by organizations including Spotify, Doddle, and Gumtree Australia.
If you use Yopass and want to support the project, you can give thanks via email, consider donating, or give consent to list your company here.