Your data is encrypted before it leaves your browser. We can't read it. No one can.
Traditional pastebins store your data in plaintext. Server admins, hackers, or anyone with database access can read everything you share.
CloakBin is different.
┌─────────────────────────────────────────────────────────────────┐
│ ZERO-KNOWLEDGE FLOW │
├─────────────────────────────────────────────────────────────────┤
│ │
│ YOUR BROWSER SERVER DATABASE │
│ ──────────── ────── ──────── │
│ │
│ "secret msg" │
│ │ │
│ ▼ │
│ ┌─────────┐ │
│ │ ENCRYPT │ AES-256-GCM │
│ │ locally │ (browser) │
│ └────┬────┘ │
│ │ │
│ ▼ │
│ "a3f8b2c1..." ───────► "a3f8b2c1..." ───► "a3f8b2c1..." │
│ (ciphertext) (ciphertext) (ciphertext) │
│ │
│ KEY stays in URL fragment (#) │
│ example.com/p/abc#KEY ◄── never sent to server │
│ │
└─────────────────────────────────────────────────────────────────┘
The encryption key lives in the URL fragment (#), which browsers never send to servers. Even if our database is compromised, attackers only get meaningless ciphertext.
| Component | What it sees |
|---|---|
| Your Browser | ✅ Plaintext (you control it) |
| Network/ISP | 🔒 Encrypted ciphertext only |
| CloakBin Server | 🔒 Encrypted ciphertext only |
| Database | 🔒 Encrypted ciphertext only |
| URL Recipient | ✅ Plaintext (they have the key) |
Cryptographic Details:
- Encryption: AES-256-GCM (authenticated encryption)
- Key Derivation: PBKDF2 with 100,000 iterations (for password-protected pastes)
- Random Generation: Web Crypto API (
crypto.getRandomValues)
- 🔐 Zero-Knowledge Encryption - AES-256-GCM, keys never leave your browser
- 🔑 Password Protection - Optional second layer with PBKDF2
- 🔥 Burn After Read - Self-destructing pastes
- ⏰ Flexible Expiration - 1 hour to never
- 🎨 Syntax Highlighting - 50+ languages auto-detected
- 🚫 No Tracking - No analytics, no cookies, no accounts
- 📱 Responsive - Works on desktop and mobile
# Clone
git clone https://github.com/Ishannaik/CloakBin.git
cd CloakBin
# Install
pnpm install
# Configure
cp .env.example .env
# Edit .env with your MongoDB URI
# Run
pnpm devMONGODB_URI=mongodb://localhost:27017/cloakbin
ADMIN_USERNAME=admin
ADMIN_PASSWORD=your-secure-password| Layer | Technology |
|---|---|
| Framework | SvelteKit 2.0, Svelte 5 |
| Language | TypeScript |
| Styling | Tailwind CSS 4.0 |
| Database | MongoDB |
| Encryption | Web Crypto API |
| Editor | CodeMirror 6 |
| Hosting | Vercel |
src/
├── lib/
│ ├── components/ # UI components
│ ├── db/ # Database adapters
│ └── crypto.ts # Encryption (AES-256-GCM, PBKDF2)
├── routes/
│ ├── +page.svelte # Create paste
│ ├── p/[id]/ # View paste
│ ├── api/ # REST endpoints
│ └── admin/ # Admin dashboard
└── app.html
CloakBin is fully open source. Deploy your own instance:
- Fork this repository
- Deploy to Vercel/Netlify/your server
- Set up MongoDB (Atlas free tier works)
- Configure environment variables
PRs welcome! Please:
- Fork the repo
- Create a feature branch
- Make your changes
- Submit a PR
- PrivateBin - Zero-knowledge inspiration
- CodeMirror - Editor component
- Lucide - Icons
GNU Affero General Public License v3.0 (AGPL-3.0) - see LICENSE
If you run a modified version of CloakBin as a network service, AGPL §13 requires you to offer the modified source to your users.
Your secrets deserve real privacy.
Made by Ishan Naik